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Meet iXRack — a customized and repeatable rack-scale 
infrastructure Ideal for web-scale, virtualization, big data, 
private cloud, and virtually any enterprise business application. 
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For more information on |XRack, 
visit Xsystems.com/iXRack today. 
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Dear Readers, 


FreeBSD 11.0 is finally out! Were you impatient and 
did you download your upgrade right away? 


I’m writing to you from my hotel room in Orlando, Flor- 
ida. Beautiful weather is outside my window, Hurri- 
cane Matthew hasn't reached this city. | hope you all 
are safe where you are and that you enjoy this 
autumn, whether it’s cold and rainy or warm and 
sunny. We also have Halloween coming very soon. 
What do you think about this American tradition? 


Issue-wise, let’s begin with “Serverless Approach to 
Security Automation” by Renan Dias. Grab some cof- 
fee and fix your corrupted server with us. 


Moving on to the FreeBSD Corner. Here you will find 
an article by Mike Tancsa, “Loading an OpenSSH 
Hostkey From a Hardware Token on FreeBSD”. What 
if someone steals a copy of your private key? What if 
someone breaks into your host and makes off with 
your hostkey? Find the solution with this article. 


Next we will hop right into “Install Windows 10 using 
VNC on FreeBSD 11 and Above” by Trent Thompson. 
You have been asking us about more articles about 
bhyve - here it is. 


We have also been asked about more articles on 
OpenBSD. We hope “OpenBSD 6.0: Why and How” 
by Derek Sivers will be interesting for you. 


If you are a fan of Docker and debugging, we have 
you covered with Miguel Tavares’ article in “How to 
Connect Pycharm to Debug a Remote Docker Con- 
tainer Using the Containers Remote Interpreter in 
BSD”. 


At the end of this issue, you will find an interview with 
Emile Heitor, CTO and Co-owner of NBS System, 
and Head of the Research & Expertise Department at 
Oceanet Technology as well as Rob’s Column. 


We hope you enjoy this issue and have a nice and 
sunny October. 


Marta & BSD Team 


MAGAZINE 


Editor in Chief: 


Marta Ziemianowicz 
marta.ziemianowicz@software.com.pl 
Contributing: 


Trent Thompson, Renan Dias, Mike Tenesca, Derek Sivers, Miguel Ta- 
vares, Emile Heitor and Rob Somerville. 


Top Betatesters & Proofreaders: 


Denise Ebery, Eric Geissinger, Luca Ferrari, Imad Soltani, Olaoluwa Omo- 
kanwaye, Radjis Mahangoe, Mani Kanth and Mark VonFange. 


Special Thanks: 
Annie Zhang 
Denise Ebery 

DTP: 

Marta Ziemianowicz 
Senior Consultant/Publisher: 
Pawet Marciniak 
pawel@software.com.pl 
CEO: 

Joanna Kretowicz 
joanna.kretowicz@software.com.pl 
Publisher: 


Hakin9 Media SK 02-676 Warsaw, Poland Postepu 17D Poland worldwide 
publishing editors@bsdmag.org www.bsdmag.org 


Hakin9 Media SK is looking for partners from all over the world. If you are 
interested in cooperation with us, please contact us via e-mail: 
editors@bsdmag.org. 


All trademarks presented in the magazine were used only for informative 
purposes. All rights to trademarks presented in the magazine are reserved 
by the companies which own them. 


BSD 


MAGAZINE 


CONTENTS 


News 


BSD World Monthly News 4 


by Marta Ziemianowicz 


This column presents the latest news coverage of 
events, product releases and trending topics. 


Security 


Serverless Approach to Security Automation 17 
by Renan Dias 


Everyone is talking about DevOps (Development 
and Operations). Some people say DevOps is the 
job of a single man, some other people say DevOps 
is rather a culture and is about the collaboration be- 
tween the development team and the operations 
team. The truth is that, regardless of the conflicting 
ideas, everyone agrees that one of DevOps’ main 
goals is automation. Software release automation, 
right? Well, not quite. There are a lot of things that 
can be automated: software release, infrastructure 
provisioning, testing, benchmarking and security, to 
name a few. Now, did you notice the last thing on 
this list? Security. 


FreeBSD Corner 


Loading an OpenSSH Hostkey From a Hardware 
Token on FreeBSD 23 


by Mike Tancsa 


| had a requirement for creating an sftp server that 
needs strong client and host authentication. The 
host needs to know it’s an authorized client connec- 
tion, and the client needs to know it’s really the host 
it's connecting to. SSH and public key crypto is great 
for this, but what if someone steals a copy of your 
private key? What if someone breaks into your host 
and makes off with your hostkey? Until you detect 
the compromise and revoke and regenerate keys, 
you run the risk of a man in the middle attack, 
among other things. 


Installing Windows 10 using VNC on FreeBSD 11 
and Above 37 


by Trent Thompson 


This October of 2016 will be a special month for 
FreeBSD virtualization. Not only will the most recent 
release of FreeBSD be ready, but it will have been a 
year since UEFI booting in bhyve was announced 
via the FreeBSD-Virtualization Mailing List. At the 
time, bhyve did not have the ability to allow for any 
type of graphical console, outside of something run 
on the guest OS like RDP, VNC, or SPICE. Instead, 
bhyve used a serial console as a means to communi- 
cate with the guest operating system. 


OpenBSD 
OpenBSD 6.0: Why and How 58 
by Derek Sivers 


The only operating system | use on my computers is 
not Mac, not Windows, and not even Linux. It's 
OpenBSD, and | love it so much. 


Since OpenBSD 6.0 was released today, | figured | 
should say a little something about why | love it, and 
how you can try it. 


Docker 


How to Connect Pycharm to Debug a Remote 
Docker Container Using the Containers Remote 


Interpreter in BSD 70 
by Miguel Tavares 


For a little background on my activity, I've been work- 
ing with Python and Stackless Python on Django 
MVC’s on several BSD servers and using PyCharm 
as Python IDE to develop on. 


Interview 


Emile Heitor, CTO and Co-owner of NBS System, 
and Head of the Research & Expertise Depart- 


ment at Oceanet Technolo 78 


by Marta Ziemianowicz, Marta Sienicka & Marta 
Strzelec 
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BSD Certification 


The BSD Certification Group Inc. 
(BSDCG) is a non-profit organization 
committed to creating and 
maintaining a global certification 
standard for system administration 
on BSD based operating systems. 


@ WHAT CERTIFICATIONS ARE AVAILABLE? 


BSDA: Entry-level certification suited for candidates 
with a general Unix background and at least six months of 
experience with BSD systems. 


BSDP: Advanced certification for senior system administrators 
with at least three years of experience on BSD systems. 
Successful BSDP candidates are able to demonstrate 

strong to expert skills in BSD Unix system administration. 


@ WHERE CANIGET CERTIFIED? 


We’re pleased to announce that after 7 months of 
negotiations and the work required to make the exam 
available in a computer based format, that the BSDA 
exam is now available at several hundred testing centers 
around the world. Paper based BSDA exams cost $75 USD. 
Computer based BSDA exams cost $150 USD. The price of 
the BSDP exams are yet to be determined. 


Payments are made through our registration website: 
https://register.bsdcertification.org//register/payment 


@& WHERE CAN | GET MORE INFORMATION? 


More information and links to our mailing lists, LinkedIn 
groups, and Facebook group are available at our website: 
http://www.bsdcertification.org 


Registration for upcoming exam events is available at our 
registration website: 
https://register.bsdcertification.org//register/get-a-bsdcg-id 


The Google Summer of Code is held every 
year, giving students around the world an op- 
portunity to showcase their coding talents. 
The following participants have been selected 
to represent FreeBSD on various projects 
ranging from security, virtualization, kernel, to 
cloud. Congrats to the following on their sub- 
missions to Google Summer of Code! 


FreeBSD Google Summer of Code 2016: 
https://summerofcode. withgoogle.com/organi 
zations/4892834293350400/ 


Past Summer of Codes: 
https://www.ftreebsd.org/projects/summerofco 
de.html 


https://www.freebsdnews.com/2016/09/30/fre 
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Conference to Return to the “Birthplace of BSD” for 
Its Fifth Installment 


SAN JOSE, CA-(Marketwired — September 06, 
2016) — iXsystems announced today that the fifth 
MeetBSD California conference will take place at UC 
Berkeley’s Clark Kerr campus on November 11-12. 
As in past years, this year’s MeetBSD California will 
once again follow a mixed “unConference’” format 


: and will feature breakout sessions, discussion 
groups, and talks from prominent figures in the BSD 
community. 


CALIFORNIA 2016 MeetBSD California is the premier BSD Conference 


in the San Francisco Bay Area. Since its inception in 

2008, MeetBSD California has been held every two 
years in Silicon Valley, bringing together BSD community members from all over the region and 
around the world. 


Previous settings for MeetBSD California have included the Google and Yahoo! Campuses, 
Hacker Dojo in Mountain View, and the Western Digital campus in San Jose. The BSD operating 
system was developed in the early 90s at this year’s venue, UC Berkeley. 


Kirk McKusick, one of the instigators of BSD at Berkeley in the 1980s, says, “I am thrilled to have 
a BSD Conference return to the campus at which it started. | look forward to catching up on all 
the latest work going into the BSD systems and especially look forward to the party at the historic 
Hillside Club on Friday evening.” 


“For this fifth installment of the MeetBSD California conference, we’re proud to bring it home to 
where it all began,” says Matt Olander, Co-Founder and Chief Science Officer of ixsystems. “UC 
Berkeley provides the perfect backdrop for the accomplishment of BSD related development mile- 
stones. We’re looking forward to the insightful discussions that will take place at this year’s 
MeetBSD.” 


For more information about MeetBSD or to register to attend, visit MeetBSD.com or email 
info@meetbsd.com. 


https:/www. ixsystems.com/blog/ixsystems-host-meetbsd-california-2016-uc-berkeley/ 
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FreeBSD 11 Released — The O 
Gets New Features 


FreeBSD Release Engineering Team has announced the general availability of FreeBSD 11 
Open source operating system. This is the first release of the stable/11 branch and it 
comes with many security improvements and better hardware support. 


Towards the end of the last month, we reported that the final images of FreeBSD 11 have started 
to appear on the FTP servers before the official release. Now, the official release version of 
FreeBSD 11 is here and it’s available for download. 


Security improvements in the final release 


The users who have installed the bootleg version a couple of weeks ago, they need to upgrade 
their systems. Wondering why? It’s because the developers have rebuilt and republished the 
FreeBSD 11 mirrors due to some last minute security fixes. 


The announcement mentions fixes to OpenSSL, BIND, Bspatch, Portsnap, and Libarchive. You'll 
also see OpenSSH security patches along with an upgrade to 7.2p2. 


The latest release of this open source operating system comes with new architecture support, 
toolchain enhancements, performance improvements, and support for the contemporary wireless 
chipset. 


The FreeBSD Foundation says that the new release represents years of hard work by the mem- 
bers of the large FreeBSD community. 


Better hardware support in FreeBSD 11 


The svniite utility has been updated to version 1.9.4. FreeBSD 11 also brings the support for the 
AArch64 (arm64) architecture and bhyve hypervisor. There’s also out-of-the-box support for Rasp- 
berry Pi, Raspberry Pi 2, and Beaglebone Black peripherals. 


FreeBSD 11 is now available for different architectures including amd64, i386, powerpc, pow- 
erpc64, sparc64, armv6, and aarch64. The users can install this open source operating system 
from bootable ISO images or over the network. 


For more information, you can read the release announcement. Get the FreeBSD 11 images here 
on the download page. 


https:/www.freebsdnews.com/2016/09/30/freebsd-11-0-release-delayed/ 
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OpenBSD Founder Calling For LLVM To Face A Cataclysm Over 
Its Re-Licensing 


EXPORT_SYMBOL_GPL(cgroup_is descendant); For over one year, there's been talk of LLVM pur- 
suing a mass relicensing from its University of 

static int cgroup is releasable(const st! ||linois/NCSA Open Source License, which is simi- 
{ . lar to the three-clause BSD license, to the Apache 
eee eee 2.0 license with explicit mention of GPLv2 com- 

(1 << CGRP_RELEASABLE) | 

(4 << CGRP_NOTIFY_oN REL! Patibility. As mentioned in that aforelinked article, 

return (cgrp->flags & bits) == b: this re-licensing is moving ahead. OpenBSD 

} leader Theo de Raadt is predicting this could 


cause a major problem and is in fact hoping for it. 
static int notify_on_release(const struc’ 


{ LLVM/Clang has been popular with many BSD op- 
rey feet ee eee erating systems due to the LLVM/Clang's more lib- 
eral licensing. But if they switch to the Apache 2.0 
license, Theo de Raadt commented, "I hope a 
year or two later, some author of a component (es- 
pecially one from Europe where the moral rights 
of an author still carries substantial weight) sub- 
marines the new license, surfacing to indicate that they never signed off on the additional terms 
applied to them as a significant author, and will accept no cash to solve the problem. Then they 
are dead in the water." 


} 


If that comes about, then he feels the project could face a cataclysm and that a fork of LLVM/ 
Clang could happen from the last point of the code being under the current license. 


Theo goes as far as calling the current re-licensing push "copyright theft" and "| suspect a few 
people are being paid a lot of wages to act as agents permitting theft from their co-contributors. 
They worked with others but now they are ready to steal from them." He's also hoping that some- 
one now will intentionally try to get "a major diff" of code into LLVM now and will ultimately op- 
pose to this re-licensing being pursued by the LLVM Foundation. 


http://www.phoronix.com/scan.php ?page=news_item&px=LLVM-License-Theo-de-Raaat 
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Raspbian gets user interface makeover and Chromium browser. 


Fruity low-cost computer the Raspberry Pi is constantly getting enhancements, and the latest is 
an update to its Raspbian Linux build, which has been given a makeover with a new desktop 
shell called PIXEL and a version of the Chromium browser. 


New PIXEL desktop: We know you were missing your nature backgrounds. Pic: RPi Foundation 


Raspbian is the default platform that the folks at Raspberry Pi provide for the popular bare board 
miniature computer. This is based on Debian Linux and has traditionally shipped with a rather 
spartan desktop user interface known as LXDE. 


This has now been superseded by PIXEL, which stands for “Pi Improved Xwindows Environment, 
Lightweight”. This has apparently been developed from LXDE, but has had so many improve- 
ments that it has become “a complete product in its own right and should have its own name’. 


PIXEL not only gives the icons on the taskbar, menu and file manager a long overdue makeover, 
but introduces a choice of background wallpaper images. There is also a new boot-up splash 
screen that replaces the scrolling Linux startup script messages and handily displays a Raspbian 
version number. 
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The original desktop. Screengrab courtesy RPi Foundation. 


The frame design for individual windows has also been given a more contemporary look, as “the 
old window design always looked a bit dated compared to what Apple and Microsoft are now ship- 
ping,” according to Raspberry Pi’s UX Engineer Simon Long, writing on the Raspberry Pi blog. 


For users of the Raspberry Pi 3 device, there are now options in the Wi-Fi and Bluetooth menus 
to turn off these devices if required. This should also work with most external Wi-Fi and Bluetooth 


USB dongles. 


Browser bling 


Perhaps more interesting is an initial release of a version of Chromium for the Raspberry Pi. Chro- 
mium is the open source project upon which Google bases its Chrome browser, and is now of- 
fered as an alternative to the Epiphany browser that Raspbian has included for the last few years. 


With this, Pi users can now enjoy hardware accelerated playback for streamed content, thanks to 
an included h264ify extension that enables YouTube to serve up H.264 versions of videos. Also 
included is the uBlock Origin adblocker, purely in the interests of stopping intrusive adverts from 
slowing down the browsing experience, of course. 
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Chromium for the Raspberry Pi. Screen- 


| grab courtesy RPi Foundation 


Another addition is a port of Re- 


— alVNC’s VNC server and viewer ap- 
_ plications, enabling users to remote 


screen into their Raspberry Pl, or 
alternatively use it as a terminal for 
controlling other VNC-enabled sys- 
tems. 


These enhancements come at a 
cost, with Raspberry Pi warning 
that Chromium in particular is more 
demanding of hardware resources 
than the Epiphany browser. While it 
runs well on the Raspberry Pi 2 
and the beefier Raspberry Pi 3, the 
Pi 1 and Pi Zero hardware may 
struggle, Long said. ® 


http://www.theregister.co.uk/2016/09/28/raspberry_pi_adds_pixel_eye_candy_to_desktop_to_ple 
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Apple is taking a page from Microsoft's Windows 10 playbook and will push out its latest macOS 


(ex-OS X) update as an automatic download. 


The Cupertino maker of the Performa 275 has confirmed to El Reg that later this week it will be- 
gin to push macOS Sierra to Mac owners who have the "automatic update" function enabled on 
their computers. This feature is usually switched on to receive security fixes and feature updates 
as soon as possible. Now it'll cause the Sierra upgrade to automatically download onto Macs run- 
ning OS X El Capitan. Users can install the package by giving the go-ahead in a dialog box. 
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Introduced earlier this 
year at WWDC, Sierra 
has been touted for its 
improved integration with Apple's iOS platform, as well as its borrowing of the Siri personal assis- 
tant tool. 


To get Sierra, Mac owners will need to be running at least the Late 2009 iMac or MacBook mod- 
els, the 2010 or newer MacBook Pro, MacBook Air, Mac mini, or Mac Pro. It requires at least 2GB 
of RAM and 8.8GB of free disk space. 


Apple's Sierra rollout looks to be much smoother than Microsoft's disastrous Windows 10 update 
shove. That effort saw Microsoft roundly criticized for an update campaign that many of its cus- 
tomers had deemed far too pushy and deceptive. 


Microsoft enraged users who wanted to keep their machines on Windows 7 and 8.1 by force- 
feeding them Windows 10; for many folks, the operating system would automatically download in 
the background and install itself, requiring just a reboot to switch across to the new OS, after 
months of irritating popups and sneaky dialog boxes. 


Apple doesn't appear to be cramming its software as hard as Microsoft — you have to have auto- 
matic updates enabled and the storage space to take it, and you have to explicitly agree to the in- 
stallation — but that's because it doesn't have to; Cupertino's customers are conditioned to be ex- 
tremely loyal to the brand and take whatever Tim Cook and co hand out, whereas Microsoft has 
spent decades expertly fostering resentment. 


As a result, Apple tends to have a much faster (and smoother) uptake for its OS updates than 
counterparts in the Windows world. 


http://www.theregister.co.uk/2016/10/03/apple_automatic_installs_of_macos_sierra/ 
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Serverless Approach to Security 
Automation 


by Renan Dias 


Everyone is talking about DevOps (Development and Opera- 
tions). Some people say DevOps is the job of a single man, 
some other people say DevOps is rather a culture and is 
about the collaboration between the development team and 
the operations team. The truth is that, regardless of the con- 
flicting ideas, everyone agrees that one of DevOps’ main 
goals is automation. Software release automation, right? 
Well, not quite. There are a lot of things that can be auto- 
mated: software release, infrastructure provisioning, test- 
ing, benchmarking and security, to name a few. Now, did 
you notice the last thing on this list? Security. 


It seems that people on the DevOps wave are only focusing on software release and not treating 
security as a first-class citizen. For that reason, a new term has been shed light on recently: 
DevSecOps (or DevOpsSec). DevSecOps aims to turn Security into a first-class citizen in the De- 
vOps wave by treating security as code and automating security procedures. For instance, sup- 
pose a company deals with sensitive information at the infrastructure level. They probably have 
procedures in place to test their infrastructure to make sure there are as few security glitches as 
possible. However, depending on the size of the infrastructure, it might turn out to be quite expen- 
sive to run all of these tests manually, which means that these procedures need to be automated. 
They could automate running vulnerability scans and penetration tests when significant changes 
have been pushed to the infrastructure, for example. If you had never thought about automating 
security procedures, that is what this article is all about. 
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Problem 


A tainted server is a system where there has been any sort of unauthorized activity. This means 
that, if an unauthorized SSH session is open on a server, for instance, this server becomes 
tainted. 


Consider now the following scenario: you have a cluster of servers in Amazon Web Services 
(AWS) running a web application, and these servers are part of the same Auto Scaling Group (an 
Auto Scaling Group is a service that scales your cluster up and down depending on the demand). 
Now, if you had a cluster of 1,000 servers, how would you know, for instance, when an intruder 
manages to log in to one of the servers? You might have several monitoring tools in place that 
send a notification to your phone when someone manages to log in to the servers. That is awe- 
some. But the fact is, that depending on when this happens, you may or may not be able to take 
action. What if it’s in the middle of the night after a long day at work? Or what if you are on a high- 
way driving during your holiday? That’s one of the reasons why we should bring automation to the 
InfoSec field. 


Solution 


In a nutshell, when an unauthorized SSH session is open on a server, a script will kick in and will 
tag the server as tainted. As soon as the server is tagged, another procedure will decide whether 
the session seems to be legit or not. If the session is legit, then the server will be untagged. How- 
ever, if the session is not legit, the server will be shut down. 


Technology stack 
The solution in this article will use the following technology components: 
¢« Amazon Web Services: 

°  EC2 

° Lambda 

° Cloud Watch 


° AWS Command Line Interface 


¢ Ubuntu 14.04 (instructions for CentOS 7 will also be given) 
¢ Linux-PAM (Pluggable Authentication Modules) 


¢ Python 
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Go to the AWS console and click on EC2: 


RDS 4. ElastiCache 


Step 1: Launch an EC2 instance and configure PAM 


Route 53 


lit » Renan Santiago Dias v 


Oregon v 


This is how all of the above will be used to build the solution: you will first launch an EC2 instance 
and configure PAM to execute a shell script when an SSH session is open. This shell script will 
then use the AWS Command Line Interface to add a tag with key tainted and value true to the in- 
stance. In one of the tests, this EC2 instance will also have another tag with key manageable and 
value true. The presence of the tag manageable indicates that if an ssh session is established, it 
will not be seen as an unauthorized access, but rather as an access that was made in order to 
carry out some sort of maintenance (which the administrator is aware of). After configuring PAM, 
you will create an AWS Lambda function written in Python, which will be triggered by Cloud 
Watch. Cloud Watch will be responsible for checking when a new tag is added to an instance and 
then will trigger the Lambda function. The function, in turn, will get the instance ID and will check 
whether the tainted and manageable tags are present. If both are, the script will only remove the 
tainted tag and not shut down the instance. Else, if tainted is present and manageable is not, the 
instance will be stopped. 


The first step will be to launch an EC2 instance. If you're already an EC2 instance launching ex- 
pert, just launch an instance with the operating system of your choosing, attach an Identity and 
Access Management (IAM) role which allows the “ec2:CreateTags” action, add a tag to your in- 
stance with the key manageable and value true, and then skip to the part where PAM will be con- 
figured. If you have not ever set up an EC2 instance, keep reading. 
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.£, Elastic File System 
“@ Fully Managed File System for EC2 


Glacier 
Archive Storage in the Cloud 


Snowball 
Large Scale Data Transport 


if Storage Gateway 


Hybrid Storage Integration 
Database 


@) RDS 
Managed Relational Database Service 
DynamoDB 
Managed NoSQL Database 
@ ElastiCache 
‘ In-Memory Cache 
Redshift 
Fast, Simple, Cost-Effective Data Warehousing 
2m NMS 


Developer Tools 


CodeCommit 
Store Code in Private Git Repositories 


CodeDeploy 


Automate Code Deployments 


@ CodePipeline 


“= Release Software using Continuous Delivery 


Management Tools 
CloudWatch 


Monitor Resources and Applications 


CloudFormation 
Create and Manage Resources with Templates 


CloudTrail 
Track User Activity and AP] Usage 


= Config 
‘— Track Resource Inventory and Changes 


V, OpsWorks 


Automate Operations with Chef 


8 Service Catalog 


Create and Use Standardized Products 


®@ Trusted Advisor 
Optimize Performance and Security 


Security & Identity 
e Identity & Access Management 


Manage User Access and Encryption Keys 


if Directory Service 
‘= Host and Manage Active Directory 


@ 'nspector 
“@ Analyze Application Security 


L WAF 
Filter Malicious Web Traffic 


— Cartificata Mananer 


Internet of Things 
AWS loT 


Connect Devices to the Cloud 


Game Development 
GameLift 


w Deploy and Scale Session-based Multiplayer 


Mobile Services 
cy Mobile Hub 
@! Build, Test, and Monitor Mobile Apps 
fe Cogn 
i) User Identity and App Data Synchronization 
@ Device Farm 


"™ Test Android, iOS, and Web Apps on Real Devices 


in the Cloud 
= Mobile Analytics 
= Collect, View and Export App Analytics 


a SNS 
Push Notification Service 


Application Services 


API Gateway 
Build, Deploy and Manage APIs 


@& AppStream 
L Low Latency Application Streaming 


CloudSearch 


Managed Search Service 


a Elastic Transcoder 
‘gs Easy-to-Use Scalable Media Transcoding 


{y SES 
Email Sending and Receiving Service 
m@ SQs 
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Resource Groups Learn more 
A resource group is a collection of 
resources that share one or more tags. 
Create a group for each project, 
application, or environment in your 
account. 


Create a Group Tag Editor 


Additional Resources 


Getting Started 7 
Read our documentation or view our 
training to learn more about AWS. 


AWS Console Mobile App % 

View your resources on the go with our 
AWS Console mobile app, available 
from Amazon Appstore, Google Play, or 
iTunes. 


AWS Marketplace (7 

Find and buy software, launch with 1- 
Click and pay by the hour. 

AWS re:Invent Announcements (7 


Explore the next generation of AWS 
cloud capabilities. See what's new 


Service Health 


o All services operating normally. 
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Then, click on Launch Instance: 


Resources 


You are using the following Amazon EC2 resources in the US West (Oregon) region: 


0 Running Instances 0 Elastic IPs 
0 Dedicated Hosts 0 Snapshots 
0 Volumes 0 Load Balancers 
6 Key Pairs 10 Security Groups 


0 Placement Groups 


Build and run distributed, fault-tolerant applications in the cloud with Amazon Simple Workflow Service. 


Create Instance 


To start using Amazon EC2 you will want to launch a virtual server, known as an Amazon EC2 instance. 


Launch Instance 


Note: Your instances will launch in the US West (Oregon) region 


Service Health ™ Scheduled Events 


Service Status: US West (Oregon): 


@ US West (Oregon): No events 


Step 1: Choose an Amazon Machine Image (AMI) 


Red Hat Red Hat Enterprise Linux version 7.2 (HVM), EBS General Purpose (SSD) Volume Type 


Root device type: ebs Virtualization type: hvm 
> ] SUSE Linux Enterprise Server 12 SP1 (HVM), SSD Volume Type - ami-d2627db3 


SUSE Linux SUSE Linux Enterprise Server 12 Service Pack 1 (HVM), EBS General Purpose (SSD) Volume Type. Public Cloud, Advanced 
Systems Management, Web and Scripting, and Legacy modules enabled. 


Root device type: ebs Virtualization type: hvm 


@ Ubuntu Server 14.04 LTS (HVM), SSD Volume Type - ami-d732f0b7 


Ubuntu Ubuntu Server 14.04 LTS (HVM), EBS General Purpose (SSD) Volume Type. Support available from Canonical 


(http://www.ubuntu.com/cloud/services). 


Root device type: ebs Virtualization type: hvm 


To launch an EC2 instance with Ubuntu 14.04, click on Ubuntu Server 14.04 LTS (HVM), SSD Vol- 
ume Type: 


Cancel and Exit 


64-bit 


64-bit 


iy Microsoft Windows Server 2012 R2 Base - ami-2827f548 
Windows Microsoft Windows 2012 R2 Standard edition with 64-bit architecture. [English] 


Free tier eligible 


Root device type: ebs Virtualization type: hvm 
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To launch an EC2 instance with CentOS 7, click on AWS Marketplace (left-hand side) and type in 
CentOS 7. The console will show at the top the CentOS 7 AMI - CentOS 7 (x86_64) - with Up- 


dates HVM: 


AWS v Services v 


1. Choose AMI 2. Choose Instance Type 


3. Configure Instance 


4. ElastiCache 


4. Add Storage 5. Tag Instance 


Step 1: Choose an Amazon Machine Image (AMI) 


An AMI is a template that contains the software configuration (operating system, application server, and applications) required to launch your instance. You can select an AMI provided by AWS, our 


user community, or the AWS Marketplace; or you can select one of your own AMis. 


x | 


Quick Start 
Q. CentOS 7 
My AMIs 
S| 
AWS Marketplace ‘er CentOS 
Community AMIs 


Free tier eligible 


Y Categories 


All Categories 


Software Infrastructure (19) 


From now on, the images will only show the instructions for Ubuntu 14.04, but the equivalent in- 


CentOS 7 (x86_64) - with Updates HVM 
& & & ® ® (43)| 1602 | Sold by Centos.org 


$0.00/hr for software + AWS usage fees 


6. Configure Security Group 


Linux/Unix, CentOS 7 | 64-bit Amazon Machine Image (AMI) | Updated: 2/26/16 


Renan Santiago Dias» Oregon Support v 


7. Review 


Cancel and Exit 


1 to 19 of 19 Products 


This is the Official CentOS 7 x86_64 HVM image that has been built with a minimal profile, suiteable for use in HVM instance 


types only. The image contains just enough ... 


More info 


structions for CentOS 7 will be given when necessary. 


After selecting an operating system, choose the size of your instance and click on Next: Config- 
ure Instance Details (since PAM does not require a powerful CPU or memory, the t2.nano in- 


stance size will do): 


AWS v Services v 


1. Choose AMI 2. Choose Instance Type 


3. Configure Instance 


4. ElastiCache 


4. Add Storage 5. Tag Instance 


Step 2: Choose an Instance Type 


Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instances are virtual servers that can run applications. They have varying combinations of CPU, memory, 


Route 53 


6. Configure Security Group 


Renan Santiago Dias» Oregon+ Support v 


7. Review 


storage, and networking capacity, and give you the flexibility to choose the appropriate mix of resources for your applications. Learn more about instance types and how they can meet your 


computing needs. 


Filter by: Allinstancetypes Vv 


Current generation Y Show/Hide Columns 


Currently selected: t2.nano (Variable ECUs, 1 vCPUs, 2.4 GHz, Intel Xeon Family, 0.5 GiB memory, EBS only) 


Family ’ Type ’ vCPUs |i ’ Memory (GiB) 
a General purpose t2.nano 1 0.5 
General purpose 1 1 
General purpose t2.small 1 2 
General purpose t2.medium 2 4 
General purpose t2.large 2 8 
General purpose m4.large 2 8 


@ Feedback @ English 


17 


Instance Storage (GB) 


EBS only 


EBS only 


EBS only 


EBS only 


EBS only 


EBS only 


EBS-Optimized Available 


Yes 


Network Performance 


Low to Moderate 


Low to Moderate 


Low to Moderate 


Low to Moderate 


Low to Moderate 


Moderate 


Cancel Previous Review and Launch Next: Configure Instance Details 


Privacy Policy Terms of Use 


MAGAZINE 


Feel free to change any configuration you'd like on this page. The most important thing, though, is 
the IAM role. The instance will need a role that allows the action CreateTags. If you happen to al- 
ready have a role with such permission, select it using the drop-down list. Else, create a new role 


by clicking on Create new IAM role (the link will be open in a new tab or window): 


AWS v Services v 


RDS 4 ElastiCache 


Oregon v 


Support v 


1. Choose AMI 2. Choose Instance Type 


3. Configure Instance 4. Add Storage 5. Tag Instance 


Step 3: Configure Instance Details 


Configure the instance to suit your requirements. You can launch multiple instances from the same AMI, request Spot instances to take advantage of the lower pricing, assign an access management 


role to the instance, and more. 


Number of instances 


Purchasing option 


Network 


Subnet 


Auto-assign Public IP 


IAM role 


Shutdown behavior 
Enable termination protection 


Monitoring 


Tenancy 
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6. Configure Security Group 


1 Launch into Auto Scaling Group (j 


Request Spot instances 


vpc-e2aa1187 (172.31.0.0/16) (default) 


subnet-9cdc6deb(172.31.32.0/20) | Default in us-west-2a 
4091 IP Addresses available 


Use subnet setting (Enable) 


None 


Stop 
Protect against accidental termination 


Enable CloudWatch detailed monitoring 
Additional charges apply. 


Shared - Run a shared hardware instance 


Aa 
v 
“a 
v 


Aa 
v 


A 
v 


A 
v 


C Create new VPC 


Create new subnet 


C I Create new IAM role 


7. Review 


Cancel Previous Review and Launch Next: Add Storage 


Terms of Use 


This page will list all IAM roles you already created. But before creating a role, you will need to 
create a policy yourself because there is no AWS Managed Policy with the required permission 
(you could select the AmazonEC2ReadOnlyAccess policy, but we only need the CreateTags ac- 
tion - always bear in mind the Principle of Least Privilege). To create a new policy, click on Poli- 


cies on the left panel: 


AWS v Services v 


RDS 4. ElastiCache 


Dashboard Create New Role Role Actions ~ 


4 


Details 
Groups {_) Role Name + 
Users No records found. 

| Roles 


Policies 


Identity Providers 
Account Settings 


Credential Report 


Route 53 


Creation Time + 


Global v 


Support v 


Showing 0 results 
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Then, click on Create Policy: 


AWS v 


Services v 


ElastiCache 


Route 53 


Renan Santiago Dias v 


Global y Support v 


Filter: 


Dashboard 

Details 

Groups 

Users C 

Roles — 

Policies = 

Identity Providers WY 

Account Settings LJ 

Credential Report eo) 

Encryption Keys 0 
@ Feedback @ English 


Policy Type ~ 
Policy Name + 

i  AdministratorAccess 
= == AmazonEC2FullAccess 
i == AmazonS3FullAccess 
ii PowerUserAccess 
i = AmazonAPiGatewayAdministr... 
i = = AmazonAPiGatewaylnvokeFull... 
fm == AmazonAPIGatewayPushToCl... 
i = AmazonAppStreamFullAccess 
i = AmazonAppStreamReadOnlyA... 
= = AmazonCognitoDeveloperAuth... 
i = AmazonCognitoPowerUser 
i == AmazonCognitoReadOnly 
jm = AmazonDMSCloudWatchLogs... 


Create Policy Policy Actions v 
; : 


Attached Entities + 


To create your own policy, select the bottom most option: 


AWS v 


Services v 


RDS 


ElastiCache 


Route 53 


Creation Time + 


2015-02-06 18:39 UTC+0100 


2015-02-06 18:40 UTC+0100 


2015-02-06 18:40 UTC+0100 


2015-02-06 18:39 UTC+0100 


2015-07-09 18:34 UTC+0100 


2015-07-09 18:36 UTC+0100 


2015-11-11 23:41 UTC+0100 


2015-02-06 18:40 UTC+0100 


2015-02-06 18:40 UTC+0100 


2015-03-24 17:22 UTC+0100 


2015-03-24 17:14 UTC+0100 


2015-03-24 17:06 UTC+0100 


2016-01-07 23:44 UTC+0100 


Renan Santiago Dias v 


Showing 207 results 


Edited Time + 

2015-02-06 18:39 UTC+0100 
2015-02-06 18:40 UTC+0100 
2015-02-06 18:40 UTC+0100 
2015-02-06 18:39 UTC+0100 
2015-07-09 18:34 UTC+0100 
2015-07-09 18:36 UTC+0100 
2015-11-11 23:41 UTC+0100 
2015-02-06 18:40 UTC+0100 
2015-02-06 18:40 UTC+0100 
2015-03-24 17:22 UTC+0100 
2016-06-02 17:57 UTC+0100 
2016-06-02 18:30 UTC+0100 


2016-01-07 23:44 UTC+0100 


Privacy Policy Terms of Use 


Global» Support v 


Create Policy 


Step 1: Create Policy 
Step 2: Set Permissions 


Step 3: Review Policy 


Create Policy 


A policy is a document that formally states one or more permissions. Create a policy by copying an AWS Managed Policy, using the Policy Generator, or 
typing your own custom policy. 


Copy an AWS Managed Policy 


Start with an AWS Managed Policy, then customize it to fit your needs. 


Policy Generator 


Use the policy generator to select services and actions from a list. The policy generator uses your selections to create a 


policy. 


Create Your Own Policy 


Use the policy editor to type or paste in your own policy. 
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Name the policy TaintedServerEC2Access and add a brief description (you could leave the de- 
scription empty if you'd like): 


AWS v Services v $3 ) RDS = ElastiCache Route 53 Renan Santiago Dias» Global» Support v 


Create Policy Review Policy 


Step 1: Create Policy Customize permissions by editing the following policy document. For more information about the access policy language, see Overview of Policies in the 


oe ae Using IAM guide. To test the effects of this policy before applying your changes, use the IAM Policy Simulator. 
Step 2: Set Permissions 


Policy Name 
Step 3: Review Policy id 


TaintedServerEC2Access 
Description 


Allows EC2 instance to tag itself and other instances 


Policy Document 
1 | 


Use autoformatting for policy editing Cancel Validate Policy | Previous | Create Policy 


Now, in regards to the policy document, copy and paste the following JSON object: 
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A Policy Document is a JSON object that states the methods of the AWS API that can or cannot 
be called by identities (users, groups, and roles). The policy document above, for instance, allows 
these identities to call the method CreateTags of the AWS API for any resource. If you wish to re- 
strict this permission to a specific resource (e.g., an S3 bucket), you will need to get the re- 
source’s Amazon Resource Name (ARN). Learn more about Policy Documents* and Amazon Re- 
source Names™*. 


Click on Validate Policy to make sure there is no syntax error: 


AWS v Services v RDS « ElastiCache Route 53 Renan Santiago Dias» Global» Support v 


Create Policy Customize permissions by editing the following policy document. For more information about the access policy language, see Overview of Policies in the 
Using IAM guide. To test the effects of this policy before applying your changes, use the IAM Policy Simulator. 


Step 1: Create Policy 
This policy is valid. 
Step 2: Set Permissions 


Step 3: Review Policy Policy Name 


TaintedServerEC2Access 
Description 


Allows EC2 instance to tag itself and other instances 


Policy Document 

i> |f 

2 "Version": "2012-10-17", 

3+ "Statement": [ 

4~ { 

5 "Sid": "Stmt1475523748249", 
6- "Action": [ 

7 "ec2:CreateTags" 
8 d, 

9 "Effect": "Allow", 
10 "Resource": "*" 
a } 
LZ, 
13 | } 


Use autoformatting for policy editing Cancel Validate Policy | Previous | Create Policy 


After successfully validating your policy, click on Create Policy. 


*http://docs.aws.amazon.com/lAM/atest/UserGuide/reference_policies_elements.html 


**http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html 
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Now that you have your own policy, create a new role by clicking on Roles on the left panel and 


then on the Create New Role button at the top: 


AWS v Services v RDS 4. ElastiCache Route 53 Renan Santiago Dias v 


Global v 


Support v 


Dashboard Create New Role Role Actions v 
:  niahihieiineimeanaeiaiemaes 


Details 
Groups ) Role Name + Creation Time + 
Users No records found. 
| Roles 
Policies 
Identity Providers 


Account Settings 


Credential Report 


Encryption Keys 


Call it role-tainted-server and click on Next Step to move forward: 


AWS v Services v RDS 4 ElastiCache Route 53 Renan Santiago Dias v 


Showing 0 results 


Global v 


Support v 


es HOS Set Role Name 
Step 1: Set Role Name Enter a role name. You cannot edit the role name after the role is created. 
Step 2: Select Role Type Role Name | role-tainted-server| | 
Step 3: Establish Trust Maximum 64 characters. Use alphanumeric and '+=,.@-_' characters 
Step 4: Attach Policy 
Step 5: Review 
22 
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Now select the Amazon EC2 role type: 


AWS v Services v ElastiCache 


Renan Santiago Dias v Global v Support v 


Create Role Select Role Type 
Step 1: Set Role Name © AWS Service Roles 
Step 2: Select Role Type 


- >» Amazon EC2 
Step 3: Establish Trust 


Allows EC2 instances to call AWS services on your behalf. 


Step 4: Attach Policy 


» AWS Directory Service 
Step 5: Review 


» AWS Lambda 


Allows Lambda Function to call AWS services on your behalf. 


Allows AWS Directory Service to manage access for existing directory users and groups to AWS services. 


| Select 


Select | 


And type TaintedServerEC2Access to filter the managed policy you’ve just created. Select it and 


click Next Step: 


AWS v Services v RDS 4 ElastiCache Route 53 


Renan Santiago Dias» Global» Support v 


Create Role Attach Policy 


Step 1: Set Role Name Select one or more policies to attach. Each role can have up to 10 policies attached. 


Step 2: Select Role Type 


Step 3: Establish Trust Filter: Policy Type~ TaintedServerEC2Access 


Step 4: Attach Policy 


: Policy Name + Attached Entities + 
Step 5: Review 


TaintedServerEC2Access 0) 
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Showing 1 results 


Creation Time + Edited Time + 


2016-10-03 20:52 UTC+0100 2016-10-03 20:52 UTC+... 


as | — 
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After creating the role, go back to the EC2 launching page and click on the refresh arrow so the 
console refreshes the list of roles and shows the role you've just created. Select your role and hit 


Next: Add Storage: 


v 


7 \ Services v + ElastiCache Renan Santiago Dias» Oregon 


1. Choose AMI 2. Choose Instance Type 3. Configure Instance 4. Add Storage 5. Tag Instance 6. Configure Security Group 7. Review 


Step 3: Configure Instance Details 


Support v 


Configure the instance to suit your requirements. You can launch multiple instances from the same AMI, request Spot instances to take advantage of the lower pricing, assign an access management 


role to the instance, and more. 


Number of instances (j) 1 Launch into Auto Scaling Group (7) 
Purchasing option (j) ~) Request Spot instances 
Network (j) vpc-e2aa1187 (172.31.0.0/16) (default) C Create new VPC 
Subnet (ji) subnet-9cdc6deb(172.31.32.0/20) | Default in us-west-2a Create new subnet 


4091 IP Addresses available 


Auto-assign Public IP_ (j) Use subnet setting (Enable) 


IAM role (i) WANone 
role-tainted-server 


GCG Create new IAM role 


Shutdown behavior (j) Stop 
Enable termination protection (;) ~) Protect against accidental termination 
Monitoring ( D ~\ Enable CloudWatch detailed monitoring 


Additional charges apply. 


Tenancy (j) Shared - Run a shared hardware instance 


Cancel Previous Review and Launch Next: Add Storage 
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Privacy Policy Terms of Use 
Change the storage configuration if necessary, then hit Next: Tag Instances: 
Step 4: Add Storage 
Your instance will be launched with the following storage device settings. You can attach additional EBS volumes and instance store volumes to your instance, or 
edit the settings of the root volume. You can also attach additional EBS volumes after launching an instance, but not instance store volumes. Learn more about 
storage options in Amazon EC2. 
Delete on 
Volume Type |i) Device |i Snapshot |i) Size (GiB) Ji Volume Type (i) IOPS (i) Mee Termination Sia 
‘ i | 
Root /dev/sda1 snap-47713105 8 : General Purpose SSD (GP2) 100/3000 N/A Not Encrypted 


Add New Volume 


Free tier eligible customers can get up to 30 GB of EBS General Purpose (SSD) or Magnetic storage. Learn more about free usage tier eligibility and 
usage restrictions. 


Cancel Previous Review and Launch Next: Tag Instance 
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In the Tag Instance page, add two tags: 


Key Value 
Name Tainted Server Test 
manageable true 


The Name key is just a Suggestion because you will be able to identify this instance more easily 
in case you have loads of EC2 instances. But the manageable tag is mandatory (later in this arti- 
cle, you will understand why we need it). Add any further tags you find necessary and click on 
Next: Configure Security Group: 


AWS v Services v RDS + ElastiCache Edit » Renan Santiago Dias~ Oregony Support v 


1. Choose AMI 2. Choose Instance Type 3. Configure Instance 4. Add Storage 5. Tag Instance 6. Configure Security Group 7. Review 


Step 5: Tag Instance 


A tag consists of a case-sensitive key-value pair. For example, you could define a tag with key = Name and value = Webserver. Learn more about tagging your Amazon EC2 resources. 


Key (127 characters maximum) Value (255 characters maximum) 

Name Tainted Server Test [x] 
manageable true x] 
Create Tag (Up to 50 tags maximum) 


Cancel Previous Review and Launch Next: Configure Security Group 


@ Feedback @ English ) 20 16, Amazon Web Services, Inc. or its affiliates. All rights reserved Privacy Policy Terms of Use 


On the security group page, select any existing security group that allows inbound traffic on port 
22 (SSH) from your IP address (it’s a really bad practice to open SSH to 0.0.0.0/0). If you don't 
have a security group with this rule, create a new security group. 
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Call it seg-tainted-server, select the My IP option in the drop-down list under Source and hit Re- 
view and Launch: 


Step 6: Configure Security Group 


A security group is a set of firewall rules that control the traffic for your instance. On this page, you can add rules to allow specific traffic to reach your instance. For example, if you want to set up a 


web server and allow Internet traffic to reach your instance, add rules that allow unrestricted access to the HTTP and HTTPS ports. You can create a new security group or select from an existing one 
below. Learn more about Amazon EC2 security groups. 


Assign a security group: @Create a new security group 


Security group name: 


Description: 


Add Rule 


Review all the instance launch details and click on Launch. If you already have SSH keys regis- 
tered in your account, select one of them. Otherwise, create a new key pair, download it and click 


on Launch Instances: 


we AWS v 


Select an existing security group 


seg-tainted-server 


Security group for the tainted server 


Protocol |i 


TCP 


Services v \P Ec2 &) $3 


Port Range 


ElastiCache 


| Route 53 


Source |i 


My IP 176.251.184.75/32 (x) 


Cancel Previous Review and Launch 


Renan Santiago Dias v Oregon v Support v 


1. Choose AMI 2. Choose Instance Type 


3. Configure Instance 


4. Add Storage 


Step 7: Review Instance Launch 
Please review your instance launch details. “o-e2n-ce hock ta adit channac far nach cactian Clic’ | auneh ta accian 9 bay noir ta wey instanes anc eamniete the launch process. 


To launch an instance that's elig 
eligibility and usage restrictions} 


vy AMI Details 
Ubuntu Server 14.04 LTS 


een Ubuntu Server 14.04 LTS (HV 
Root Device Type: ebs__Virtualiza 
y Instance Type 
Instance Type ECUs 
| t2.nano Variable 


y Security Groups 


Sarurity arniuin namo san-tal 


5. Tag Instance 


6. Configure Security Group 7. Review 


Select an existing key pair or create a new key pair x 


A key pair consists of a public key that AWS stores, and a private key file that you store. Together, 
they allow you to connect to your instance securely. For Windows AMIs, the private key file is required 
to obtain the password used to log into your instance. For Linux AMls, the private key file allows you to 


securely SSH into your instance. 


Note: The selected key pair will be added to the set of keys authorized for this instance. Learn more 
about removing existing key pairs from a public AMI. 


Create a new key pair 
Key pair name 
tainted-server 


A 
v 


Download Key Pair 


You have to download the private key file (*.pem file) before you can continue. Store 
it in a secure and accessible location. You will not be able to download the file 


again after it's created. 


lee | Launch Instances 


@ Feedback @ English 
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arn more about free usage tier 


Edit AMI 


Edit instance type 
Network Performance 


Low to Moderate 


Edit security groups 


Cancel Previous Launch 


Privacy Policy Terms of Use 
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Grab either the public DNS name or the public IP address of the instance: 


Q, Filter by tags and attributes or search by keyword Qe 1 to 1 of 1 

@ Name » Instance ID + Instance Type ~ Availability Zone ~ Instance State ~ StatusChecks ~ Alarm Status Public [ 
@ Tainted Server Test i-6c939374 t2.nano us-west-2a  ) running 3S Initializing None B ec2-52-: 
Instance: | i-6c939374 (Tainted Server Test) Public DNSJec2-52-36-141-206.us-west-2.compute.amazonaws.com | ae Fo | 


Description Status Checks Monitoring Tags 


Instance ID __i-6c939374 Public DNS ff ec2-52-36-141-206.us-west- 
2.compute.amazonaws.com 
Instance state — running Public IP_ fj] 52.36.141.206 
Instance type _‘t2.nano Elastic IPs 
Private DNS _ ip-172-31-35-204.us-west- Availability zone | us-west-2a 
2.compute.internal 
Private IPs = 172.31.35.204 Security groups _—_ seg-tainted-server. view rules 
Secondary private IPs Scheduled events No scheduled events 
VPC ID vpc-e2aa1187 AMIID —_ubuntu/images/hvm-ssd/ubuntu-trusty- 


14.04-amd64-server-20160714 (ami- 


And ssh into it: 


$ ssh -i ~/.ssh/tainted-server .pem ubuntu@52.36.141.206 


The authenticity of host '52.36.141.206 (52.36.141.206)' can't be es- 
tablished. 


ECDSA key fingerprint is 
SHA256: Zh18mK+6LdMeipbvRJ£+q5KhXZq2VaE3Fx+f£rOOKBbk . 


Are you sure you want to continue connecting (yes/no)? yes 


Warning: Permanently added '52.36.141.206' (ECDSA) to the list of 
known hosts. 


Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-92-generic x86 64) 


wi 
Zz 
N 
< 
Gg 
< 
= 
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* Documentation:  https://help.ubuntu.com/ 
System information as of Tue Oct 4 17:53:19 UTC 2016 


System load: 0.16 Memory usage: 10% Processes: 
82 


Usage of /: 10.0% of 7.74GB Swap usage: 0% Users logged in: 
0) 


Graph this data and manage this system at: 


https://landscape.canonical.com/ 


Get cloud support with Ubuntu Advantage Cloud Guest: 


http://www.ubuntu.com/business/services/cloud 


0 packages can be updated. 


0 updates are security updates. 


The programs included with the Ubuntu system are free software; 
the exact distribution terms for each program are described in the 


individual files in /usr/share/doc/*/copyright. 


Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by 
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applicable law. 


ubuntu@ip-172-31-35-204:~$§ 


} 


Note: if you received the message below: 


Warning: Permanently added '52.36.141.206' (ECDSA) to the list of known hosts. 


@@CO@COCOCO@COCOCO@MCOCOOCOCO@MCOCOOCOECCOCO@COCE@ 
@@@@@C@CO@CC@CO@CC@@ 


@) WARNING: UNPROTECTED PRIVATE KEY FILE! @) 


@@CO@OCOCO@COCOCOPCOCO@COCO@MCOCOCOCO@CCOCO@COCE@ 
@@@@C@CO@CC@CO@CCE@@ 


Permissions 0644 for '/Users/renandias/.ssh/tainted-server.pem’ are too open. 
It is required that your private key files are NOT accessible by others. 
This private key will be ignored. 

Load key "/Users/renandias/.ssh/tainted-server.pem": bad permissions 


Permission denied (publickey). 


Just change the permission of your SSH key to 600: 


$ chmod 600 <path-to-your-ssh-key> 


Once you log into the server, open the PAM configuration for the SSH daemon located at 
/etc/pam.d/sshd: 


ubuntu@ip-172-31-35-204:~$ sudo vim /etc/pam.d/sshd 


PAM already comes installed in many Linux distributions. But if your system does not have PAM, 
do a quick research on how to install it on your distribution. 


To execute a script upon successful login, you will use PAM’s pam_exec module. Add the follow- 
ing rule to the bottom of the file: 


Now, create the /usr/local/bin/tainted file with the following code: 


First, the script checks the PAM_TYPE. PAM passes data to the script via environment variables. 
With the PAM_TYPE, it’s possible to identify whether the user has just opened the session, or 
closed it, for instance. And that’s what the if statement below the shebang line is doing. We are 
not interested in tagging the instance upon session closure, but when the session has been 
opened. The curl command makes a request to the IPv4 Link-Local address 169.254.169.254 to 
get the instance’s ID. Now, let’s make a pause here. | can only imagine that you might be asking 
yourself what random IP address is this. According to the RFC 3927, an IPv4 Link-Local address 
is an IP address within the 169.254/16 range to communicate with other devices on the same 
physical (or logical) link. Amazon hasn't published any implementation details about BSD 
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how this is done, but my assumption is that there is some sort of device on the instance’s physi- 
cal or logical link responsible for dealing with metadata requests. Back to the script, it then uses 
the AWS CLI to tag the instance with the tainted key (you will need to provide the region code to 
the AWS CLI, unless you run aws configure and manually set the region to be used as default). 
Note, though, that the AWS CLI does not come installed on the Ubuntu AMI (or the CentOS AMI). 
Save the script above and install the AWS CLI with the following commands: 


Note: you will not need any AWS credential since the instance already has an IAM role attached 
to it. 


Last but not least, change the script’s permission so the system can execute it: 


Without any further ado, test if the instance will tag itself after we ssh into it. The test is pretty 
easy: just terminate your SSH session and log in again. 
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This should trigger the tainted script and the instance should have a new tag with key tainted and 


value true: 


Q @ 1 to 1 of 1 
aw Name ~ Instance ID + Instance Type ~ Availability Zone ~ Instance State ~ StatusChecks ~ Alarm Status Publi 
@ Tainted Server Test i-6c939374 t2.nano us-west-2a © running @ 2/2checks... None Ww ec2-5 
Instance: | i-6c939374 (Tainted Server Test) Public DNS: ec2-52-36-141-206.us-west-2.compute.amazonaws.com BRe 
Description Status Checks Monitoring Tags 
Add/Edit Tags 
Key Value 
Name Tainted Server Test Hide Column 
manageable true Show Column 


Perfect, everything seems to be working! In case your instance does not tag itself, run the tainted 
script manually and check for any errors. After you fix the error(s), remove the tainted tag and con- 
firm that the instance will tag itself when a user logs in with ssh. 


Step 2: Create a Lambda function 


Now that the server is ready, you need to create a Lambda function that will execute as soon as 
an unauthorized ssh session is established. In this article, the function will stop the instance. How- 
ever, if you wish to use this approach to protect your servers in production, you need to assess 
your environment first. 


Suppose you have a service running on multiple machines in an Auto Scaling Group, and you de- 
cide that no one should ssh into these servers to carry out any sort of maintenance. In this case, 
since you have multiple servers and the Auto Scaling Group is configured to spin new instances 
as instances go down, it is perfectly fine to stop/terminate upon unauthorized ssh session estab- 
lishment (unless an ssh session is established in all servers of the Auto Scaling Group at the 
same time, which indicates a serious security glitch). What kind of action the Lambda function will 
carry out is totally up to you. The goal of this article is to show you how to use a serverless ap- 


proach to secure your systems. 
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Even if the servers in a certain Auto Scaling Group are not to be managed, you still might want to 
carry out some maintenance given the circumstances. In this case, you could indicate to your 
Lambda function that everything is fine with the “tainted” instance and it should not be stopped/ 
terminated. This could be accomplished by using a different tag. Remember the manageable tag 
you created for the instance? That’s right, you got it! If the manageable tag is present, this means 
that an authorized person is logged in to the instance (if an unauthorized person manages to tag 
the instance with the manageable tag and ssh into it, then that’s another security glitch you might 
need to look into). 


To summarize the idea of what the Lambda function will do: 
¢ The function will get the instance ID of the tainted server. 


¢ If it finds the manageable tag, it will not stop the instance and will remove the tainted tag in- 
stead. 


¢ Else, if it does not find the manageable tag, the instance will be stopped. 


The function in this article will be written in Python. But it could be easily ported to either Node.js 
or Java (which are currently the programming languages supported by AWS Lambda). Here is the 
function: 
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Security 


# 2 
# Get all the tags of the instance 
response = ec2.describe tags ( 
Filters = [ 
{ 
"'Name': 'resource-id', 
'Values': [ 


instancelId 


isManageable = False 


# 4 


# Finding out if instance is manageable 


for tag in response['Tags']: 
if tag['Key'] == 'manageable' and tag['Value'] == 'true': 


isManageable = True 


# If the instance is not manageable, the instance will be shut down 
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if isManageable is False: 
# 5 
try: 
response = ec2.stop instances ( 
InstancelIds = [ 


instancelId 


print (response) 
except Exception as e: 
print (e) 


print ("Exception thrown when shutting down instance: " + 
instancelId) 


# 6 
# Removing tainted tag since the instance is manageable 


try: 


response = ec2.delete_ tags ( 


Resources = [ 


instancelId 
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Here’s the breakdown of what the function is doing: 


¢ #1 - Retrieves the instance ID of the instance which triggered the Lambda function (Note: the 
event dictionary is quite complex, so to get all the correct keys, print the dictionary first to under- 
stand how it is structured) 


¢ #2 - Describe the tags of the instance. The response is a dictionary with the key Tags 


¢ #3 - Declares a variable called isManageable. This variable will hold False in case the instance 
does not have the manageable tag and True otherwise. 


¢ #4 - Loops through the list of tags and sets the variable isManageable to True in case the in- 
stance has the manageable tag 


¢ #5 - If there’s no manageable tag set, the instance is stopped. 


¢ #6 - If there is a manageable tag set, the instance is not stopped, and the tainted tag is re- 
moved. 


Time to create this Lambda function! 
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Go to the AWS Lambda dashboard. If you haven’t created a function yet, click on Get Started 
Now: 


AWS v Services v 


RDS 


4. ElastiCache 


Route 53 


Renan Santiago Dias» Oregon~ Support v 


AWS Lambda 


AWS Lambda is a compute service that runs developers’ code in response to 
events and automatically manages the compute resources for them, making it 
easy to build applications that respond quickly to new information. 


Get Started Now 


Learn more about AWS Lambda 


$3, Dynamo, Kinesis, 
\S, CloudTrail, 


~~, 


Cost-effective and efficient 


AWS Lambda runs your code only when needed, with no 
unnecessary overhead or cost. 


On the Select Blueprint page, scroll down to the bottom and hit Skip: 


Respond quickly to new information 


AWS Lambda runs your code in response to events such as 
image uploads, in-app activity, website clicks, or outputs 


Run your code without managing 
infrastructure 
AWS Lambda administers the underlying compute 


Select runtime v Y Filter 


@ Feedback 


s3-get-object-python 
An Amazon S3 trigger that retrieves 
metadata for the object that has been 


updated. 


python2.7 - s3 


microservice-http-endpoint 
A simple backend (read/write to 


DynamoDB) with a RESTful API 
endpoint using Amazon API Gateway. 


nodejs - api-gateway 
simple-mobile-backend 
A simple mobile backend (read/write to 


DynamoDB). 


nodejs - mobile 


@ English 


config-rule-change-triggered 


An AWS Config rule that is triggered by 
configuration changes to EC2 instances. 
Checks instance types. 


nodejs - config 


node-exec 


Demonstrates running an external 
process using the Node.js child_process 
module. 


nodejs 


ses-notification-nodejs 
An Amazon SES notification handler for 
processing bounces, complaints and 


deliveries. 


ses 
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dynamodb-process-stream 


An Amazon DynamoDB trigger that logs 
the updates made to a table. 


nodejs - dynamodb 


slack-echo-command-python 
A function that handles a Slack slash 
command and echoes the details back 


to the user. 

python2.7 - api-gateway - slack 
kinesis-process-record-python 
An Amazon Kinesis stream processor 


that logs the data being published. 


python2.7 - kinesis 


Privacy Policy Terms of Use 
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Then, do not configure any trigger yet and hit Next: 


Support v 


AWS v Services v RDS + ElastiCache Route 53 Renan Santiago Dias Oregon v 


Lambda > New function 


ae Configure triggers 


| Configure triggers Configure an optional trigger to automatically invoke your function. 


Configure function 


Review 
> Lambda 


Cancel | Previous 


Now the important bit. Call this function Recyclelnstance, give it a brief description of what it 
does, and select Python 2.7 (or any other version of Python available): 


Route 53 Renan Santiago Dias» Oregony Support v 


AWS v Services v RDS 4. ElastiCache 


Lambda > New function 


acai allie Configure function 
Configure triggers A Lambda function consists of the custom code you want to execute. Learn more about Lambda functions. 


| Configure function 
Name* __ Recyclelnstance 


Description Recycles tainted instances 


Runtime* Python 2.7 v 


Review 
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Next, copy and paste the function into the Lambda function code frame: 


Lambda function code 


Provide the code for your function. Use the editor if your code does not require custom libraries (other than boto3). If you need custom libraries, 
you can upload your code and libraries as a .ZIP file. 


Code entry type _—_ Edit code inline v 

1 import boto3 

2 import json 

3 

4 ec2 = boto3.clientC'ec2") 

5 

6~ def Lambda_handler(Cevent, context): 

a 

8 #1 

9 # Retrieve EC2 instance ID 

10 instancelId = event['detail']['requestParameters']['resourcesSet']['items'][@]['resourcelId'] 
ala 

i #2 

i[3} # Get all the tags of the instance 
14 response = ec2.describe_tags( 

15 Filters = [ 

16~ { 

il7/ "Name': 'resource-id', 
18 ~ "VaLlues': [ 

19 instancelId 
20 J 
“il } 
22 a] 
23 ) 
24 
Zo #3 
26 isManageable = False 


Scrolling down to the Lambda function handler and role, you do not need to change the Handler 
field because it’s already set up with the correct function to be called (lambda_handler is the de- 
fault name of the function called by the AWS Lambda service): 


Lambda function handler and role 


Handler* lambda_function.lambda_handler 


If you defined a function called my_awesome_function instead, then the Handler would be called 
lambda_function.my_awesome_function. As to the role, select the Create a new role option using 
the drop-down list. A new tab will be open in the browser: 
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AWS v Services v ElastiCache Route 53 Renan Santiago Dias» Global» Support v 


AWS Lambda requires access to your resources 


AWS Lambda uses an IAM role that grants your custom code permissions to access AWS resources it needs. 


v Hide Details 
Role Summary (2) 


Role Description Lambda execution role permissions 
IAM Role Create a new IAM Role * 


Role Name lambda_basic_execution 


vy Hide Policy Document 
Edit 
{ 
"Version": "2012-10-17", 
"Statement": [ 
{ 
"Effect": "Allow", 
"Action": [ 
"logs:CreateLogGroup", 
“logs:CreateLogStream", 
“logs:PutLogEvents" 
] 


Don't Allow } Allow | 


You can leave the Role Name as is. The important thing is the Policy Document. The Policy Docu- 
ment will state all actions and resources your lambda function will have access to. Basically, your 
lambda function needs access to: 


¢ Create log group 

¢ Create log stream 
¢ Put log events 

¢ Describe EC2 tags 
¢ Stop instances 

¢ Delete tags 


The resulting Policy Document will be the following: 


"Version": "2012-10-17", 


"Statement": [ 
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{ 
"Effect": "Allow", 
"Action": [ 
"logs :CreateLogGroup", 
"logs: CreateLogStream", 
"logs: PutLogEvents" 


], 


"Resource": "arn:aws:logs:*:*:*" 


"Effect": "Allow", 
"Action": [ 
"ec2:DescribeTags", 
:DeleteTags", 
:StopInstances" 


], 


"Resource": "*" 


Note: this Policy Document states that the lambda function will be able to stop all instances. If 
you wish the function to only stop certain instances, get their ARN (Amazon Resource Name) and 


put them into an array for the Resource key. 


BSD 


Double-check all the information and hit Allow: 


AWS v Services v RDS 4 ElastiCache Route 53 Renan Santiago Dias» Global» Support v 


AWS Lambda requires access to your resources 


AWS Lambda uses an IAM role that grants your custom code permissions to access AWS resources it needs. 


v Hide Details 
Role Summary 2) 
Role Description | Lambda execution role permissions 
IAM Role Create a new IAM Role 7 
Role Name lambda_basic_execution 
vy Hide Policy Document 
Edit 
cay eran emeaiaieg er Re ncnsy 


"logs:PutLogEvents" 
1, 


"Resource": "arn:aws:logs:*:*:*" 
} 
{ 
"Effect": "Allow", 
"Action": [ 
“ec2:DescribeTags", 
“ec2:DeleteTags", 
“ec2:Stopinstances" 4 


Don't Allow 


After clicking on Allow, the tab will be closed. Go back to the Lambda page, and you will see your 
new role: 


Lambda function handler and role 


Handler* —_index.handler 
Role* Choose an existing role v @ 


Existing role* | lambda_basic_execution v @ 


Note: | have experienced an issue when creating a new role. After creating the role, the lambda 
page would say that there was an error when creating the role. However, reloading the page was 
enough to make the role appear when selecting the Choose an existing role option. So, if you ex- 
perience this issue, just reload the page. 


Moving on. The Advanced Settings is useful if you want to dedicate more memory and time to 
your function. In this case, we don’t need more than 128 MB of memory and 3 seconds of timeout 
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since the function is extremely simple. Hit Next: 


Advanced settings 


These settings allow you to control the code execution performance and costs for your Lambda function. Changing your resource settings (by 
selecting memory) or changing the timeout may impact your function cost. Learn more about how Lambda pricing works. 


Memory (MB)* | 128 v i) 


Timeout* | 0 min 3 “sec 


All AWS Lambda functions run securely inside a default system-managed VPC. However, you can optionally configure Lambda to access 
resources, such as databases, within your custom VPC. Learn more about accessing VPCs within Lambda. Please ensure your role has 
appropriate permissions to configure VPC. 


vPC No VPC ~ 0 


* These fields are required. Cancel Previous 


Review all the information and click on Create function: 


Review 


Please review your Lambda function details. You can go back to edit changes for each section. When you are ready, click Create function to 
complete the setup process. 


Lambda function Edit 


Name_ Recyclelnstance 
Description Recycles tainted instances 
Runtime Python 2.7 
Handler lambda_function.lambda_handler 
Existing role* lambda_basic_execution 
Memory (MB) 128 
Timeout 3 


vPc No VPC 


Cancel Previous Create function 
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Congratulations! Your (first?) lambda function is ready! 


Step 3: Create the Trigger 


The third and last step is to create the trigger. To do that, go to the CloudWatch dashboard. On 
the left-hand side, click on Rules: 


AWS v Services v RDS 4 ElastiCache Route 53 Renan Santiago Dias» Oregon Support v 


| CloudWatch 
Dashboards 


Alarms 4 Amazon CloudWatch monitors operational and performance metrics for your AWS cloud resources and applications. i ; ; 
You currently have 83 CloudWatch metrics available in the US West (Oregon) region. Monitoring Scripts Guide 


Metric Summary Additional Info 
Getting Started Guide 


. . ; Overview and Features 
Browse or search your metrics to get started graphing data and creating alarms. 


Documentation 


-_ Q Search Metrics x Forums 
illing 


Report an Issue 


Events 
Alarm Summary ry 
Logs 
Metrics You do not have any alarms created in the US West (Oregon) region. Alarms allow you to send notifications or execute Auto Scaling Create Alarm 
actions in response to any CloudWatch metric. 
EBS You can now use Amazon CloudWatch alarms to monitor the estimated charges on your AWS bill and receive email alerts whenever 
EC2 charges exceed a threshold you define. Visit the CloudWatch US East (N. Virginia) region to manage your billing alarms. 
Events Go to CloudWatch US East (N. Virginia) region 
Lambda 
Logs 7 
oa Service Health Sy 
Current Status Details 
iv) Amazon CloudWatch Service Service is operating normally 
» View complete service health details 
@ Feedback @ English Privacy Policy Terms of Use 


Now click on Create rule: 


Rules 


Rules route events from your AWS resources for processing by selected targets. You can create, edit, and delete rules. 


— 210 


Status All ~ Name « < Viewing 0to0of0 Rules > » 
Status Name Description 


You have no rules. 


The event source will be the AWS API call. To use the AWS API call as an event, you will need to 
enable Cloud Trail, which is a service that stores all calls made to the AWS API. If you haven’t en- 
abled Cloud Trail yet, do so before proceeding. Now, select EC2 for the Service name. 
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Finally, click on Specific operation(s) and select CreateTags: 


Step 1: Create rule 


Create rules to automate actions in your AWS environment. 


Event selector 


Build a pattern that selects events for processing by your targets. 


| AWS API call v | 


Service name EC2 


Any operation @ Specific operation(s) 
| x | CreateTags | Vv 


>» Show advanced options 


On the right-hand side, you will select the target, which will be the lambda function aforemen- 
tioned. 
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Hit Configure details to proceed: 


AWS v 


Services v 4. ElastiCache Edit Renan Santiago Dias» Oregon+ Support v 


CloudWatch 
Dashboards 
Alarms 


Billing 
Events 
| Rules 
Logs 
Metrics 


EBS 
EC2 
Events 
Lambda 
Logs 
$3 


Step 1: Create rule 


Create rules to automate actions in your AWS environment. 


Event selector Targets 
Build a pattern that selects events for processing by your targets. Select the targets to receive the events that match the rule you defined. 
AWS API call ’ Lambda function v 1%) 


Service name EC2 v Function* lRecycleInstance v 


> Configure version/alias 


Any operation @) Specific operation(s) 
> Configure input 
x | CreateTags v 


© Add target* 


>» Show advanced options 


* Required Cancel Configure details 


Privacy Policy Terms of Use 


@ Feedback 


@ English 


Choose a name to the rule (| named my rule RecyclelnstanceRule), give it a brief description and 
hit Create rule: 


AWS v 


Services v ElastiCache Route 53 Edi Renan Santiago Dias» Oregon Support v 


CloudWatch 
Dashboards 
Alarms 


Billing 
Events 
| Rules 
Logs 
Metrics 


EBS 
EC2 
Events 
Lambda 
Logs 
S3 


@ Feedback 


@ English 


Step 2: Configure rule details 
Rule definition 


Name* = RecyclelnstanceRule 


Description | Rule for triggering the RecycleInstance Lambda function| 


4 


State Enabled 


CloudWatch Events will add necessary permissions for target(s) so they can be invoked when this rule is triggered. 


* Required Cancel Back 


Privacy Policy Terms of Use 
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Phew, looks like everything is in place! Time to test the whole thing now. You will do two tests: 


¢ With the manageable tag 
¢ Without the manageable tag 


Let’s see what happens in each scenario. First, with the manageable tag. Go to the EC2 dash- 
board, find the server you created a while ago and add the manageable tag if you haven’t done 
SO: 


Add/Edit Tags x 


Apply tags to your resources to help organize and identify them. 


A tag consists of a case-sensitive key-value pair. For example, you could define a tag 
with key = Name and value = Webserver. Learn more about tagging your Amazon EC2 


resources. 
Key Value 
Name | Tainted Server Test | €} Hide Column 
manageable true x) 


Create Tag Cancel 


Hit save and you’re good to go! Log into your instance. 


$ ssh -i <your-ssh-key> ubuntu@<ip-address> f 
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As soon as you log in, go back to the AWS Console, refresh the list of instances, and look for the 


tainted tag: 


Description Status Checks Monitoring Tags 


Add/Edit Tags 

Key Value 

Name Tainted Server Test 
manageable true 

tainted true 


Hide Column 


Show Column 


Show Column 


Works like a charm. However, If you have just enabled CloudTrail, wait a few minutes before test- 
ing so CloudTrail has enough time to start tracking down API calls. Now, remember about the 
logic of the lambda function? Since there’s a tag with key manageable, the tainted key will be re- 
moved. If you refresh the console after a few more seconds, you will notice that the tainted tag is 


gone: 


Description Status Checks 


Add/Edit Tags 


Key 


Name 


manageable 


Monitoring Tags 


Value 


Tainted Server Test 


true 


Hide Column 


Show Column 


To make sure there is no mistake, and to confirm your lambda function actually ran, go to the 
CloudWatch dashboard again. Click on Logs: 


CloudWatch 
Dashboards 
Alarms < 


Billing 
Events 


Rules 


Metrics 


EBS 
EC2 
Events 
Lambda 
Logs 
$3 


CloudWatch » Log Groups 


| Actions v 


Filter: | Log Group Name Prefix 
Log Groups 


~\ /aws/lambda/Recycleinstance 


Expire Events After 


Never Expire 
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Metric Filters 
0 filters 


o 


* € 


!< « Log Groups 1-1 » 


Subscriptions 


None 
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You will notice that there is a log group called /aws/lambda/Recyclelnstance. This is the log group 
that our Lambda function created. Click on it and you will see a log stream: 


Search Log Group Create Log Stream Delete Log Stream 


Filter: x 
Log Streams ~ Last Event Time 
2016/10/05/[$LATEST]b95221 4f5bac43f38b84d263b9c8478b 2016-10-05 23:01 UTC+1 


Whatever you told your function to print, it will be shown there. Now, the second test! 


Remove the manageable tag from your instance: 


Description Status Checks Monitoring Tags 


Add/Edit Tags 
Key Value 
Name Tainted Server Test Hide Column 


And ssh into it again. After a few seconds, you will notice two things. The first one is that the in- 
stance was tagged with the tainted key as expected. The second is that the instance is being 
stopped: 


AWS v_ Services v RDS 4 ElastiCache Route 53 Edit y Renan Santiago Dias» Oregon» Support v 

EC2 Dashboard Launch Instance Actions ¥ @Q 2 to @ 

Events ( 

Tags Q @ 1 to 1 of 1 

Reports 

Limits oe Name ~ Instance ID + Instance Type ~» Availability Zone ~ Instance State ~ StatusChecks ~ Alarm Status Public [ 
=] INSTANCES A Tainted Server Test i-6c939374 t2.nano us-west-2a stopping None “Be ec2-54-" 
| Instances 


Spot Requests 
Reserved Instances 
Scheduled Instances 
Dedicated Hosts 


=) IMAGES 


AMIs Instance: | i-6c939374 (Tainted Server Test) Public DNS: ec2-54-148-71-154.us-west-2.compute.amazonaws.com | fe fl 
Bundle Tasks —_ asia 
Description Status Checks Monitoring Tags 
=) ELASTIC BLOCK STORE 
venice Add/Edit Tags 
Snapshots 
=) NETWORK & SECURITY Key Value 
Security Groups Name Tainted Server Test Hide Column 
Elastic IPs 
tainted true Show Column 


Placement Groups 
Key Pairs 


Network Interfaces 


@ Feedback @ English © 2008 - 2016, Amazon Web Services, Inc. or its affiliates hts reserved. Privacy Policy — Terms of Use 
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There you go, both tests have passed! You are now officially credentialed to go serverless in or- 
der to protect your infrastructure when servers are tainted! But don’t think that’s the end of it. 
There is so much more you can do. You could, for example, set up a software called Snort to de- 
tect intrusion on your system and notify the personnel responsible for the system via Slack. Or 
use OSSEC to monitor when a file is altered and log to papertrail. Or use Lynis to identify poten- 
tial vulnerabilities in your system. Play around with all the mentioned tools in this article a little bit 
more, and you will realize that automation can not only be easily used to deploy software, but 
also to protect your infrastructure and systems. 


" 
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Loading an OpenSSH Hostkey From 
a Hardware Token on FreeBSD 


by Mike Tancsa 


| had a requirement for creating an sftp server that needs 
strong client and host authentication. The host needs to 
know it’s an authorized client connection, and the client 
needs to know it’s really the host it’s connecting to. SSH 
and public key crypto is great for this, but what if someone 
steals a copy of your private key? What if someone breaks 
into your host and makes off with your hostkey? Until you 
detect the compromise and revoke and regenerate keys, 
you run the risk of a man in the middle attack, among other 
things. 


One way to mitigate this risk is by keeping your private keys on a hardware token on both sides. 


Test setup: FreeBSD RELENG 10, Aladdin eToken 64k (old Style with pkcs15 support). From the 
ports, OpenCT, OpenSC. | built them from the ports as | wanted OpenSC to use OpenCT as the 
driver to interact with the Safenet eToken. 


Let’s start by erasing the token and setting up a pkcs15 filesystem. Note, you might need to initial- 
ize the eToken on a Windows box to start from scratch. Don’t use these PINs in production. They 
are there just as an example!: 


O{sftp}# pkcs15-init -E 
Using reader with a card: Aladdin eToken PRO 64k 


O{sftp}# pkcs15-init -C -P --pin 12345678 --puk 999999 -a 01 --label 
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Now, let’s generate the actual private and public key on the token itself. There are two ways you 
can do this. You can either generate the key off the token and then import it, or you can ask the 
token to generate it on its own hardware. | think there are caveats to both approaches. If your to- 
ken dies a hardware death, or let’s say a malicious employee or hacker decides to lock the token 
by too many bad guesses, you are SOL and will need to generate a new key, and then have the 
entailing fallout from that. Also, how good is the crypto on the token? Everyone loves to beat up 
OpenSSL, but it is well vetted, and the RND in the *BSD world is very well vetted and under- 
stood. Can the same be said for the software on the token? | am not sure either way. 


We now have an RSA pair of keys on the token— private and public. Let’s read the actual public 
key in an ssh friendly format. 
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Let’s now use that key for the server. To setup our sftp server, | will create a separate instance lis- 
tening on port 26. We use the stock OpenSSH config for now. We copy over all the default con- 
figs as well as the pre-existing ssh keys. Make the following changes to the config you copied 
over: 
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#ListenAddress 0.0.0.0 

#ListenAddress 

@@ -25,10 +25,11 @@ 

# HostKey for protocol version 1 

#HostKey /etc/ssh/ssh_host_key 

# HostKeys for protocol version 2 

-#HostKey /etc/ssh/ssh_host_rsa_key 
+HostKey /etc/ssh-26/ssh_host_rsa-from-agent.pub 
#HostKey /etc/ssh/ssh_host_dsa_key 


#HostKey /etc/ssh/ssh_host_ecdsa_ key 
#HostKey /etc/ssh/ssh_host_ed25519 key 
+HostKeyAgent /root/etoken-agent 


# Lifetime and size of ephemeral version 1 server key 
#KeyRegenerationIinterval lh 
@@ -55,6 +56,7 @@ 


# The default is to check both .ssh/authorized keys and .ssh/ 
authorized keys2 


#AuthorizedKeysFile .ssh/authorized keys .ssh/authorized_ keys2 
+AuthorizedKeysFile /etc/ssh-26/authorized keys/%u 


#AuthorizedPrincipalsFile none 


@@ -146,3 +148,10 @@ 
AllowTcpForwarding no 
PermitTTY no 


ForceCommand cvs server 


+Match Group sftponly 
+ ChrootDirectory ch 


+ ForceCommand internal-sftp 
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Let’s now create the public_key for the server: 


When the server sees that it’s just the public key and not the private key, the daemon will look to 
the defined agent socket to do all the necessary private key transformations. So pick your socket 
location in a place on your server that only root has access to. 


Next, we fire up the agent with the socket that the server expects to communicate with. We then 
add to the agent via the pkcs#11 interface, the path that will let the private key do its magic on the 
token. 
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We are now ready to start up the server. Initially, try and do it via debug mode. 


O{sftp}# /usr/sbin/sshd -d -f /etc/ssh-26/sshd_config 

debug1: HPN Buffer Size: 65536 

debug1: sshd version OpenSSH 6.6.1pl1_ hpni3vll FreeBSD-20140420, 
OpenSSL 1.0.1m-freebsd 19 Mar 2015 

debug1: key parse private2: missing begin marker 

debug1: key parse private pem: PEM read PrivateKey failed 
debug1l: read PEM private key done: type 

debug1: will rely on agent for hostkey 
/etc/ssh-26/ssh_host_rsa-from-agent.pub 

debugl1: private host key: #0 type 1 RSA 


debug1: rexec_argv[0]='/usr/sbin/sshd' 


debug1: rexec_argv[1]='-d' 

debug1: rexec argv[2]='-f' 

debug1: rexec _argv[3]='/etc/ssh-26/sshd_config' 
debugl: Bind to port 26 on 

debug1: Server TCP RWIN socket size: 65536 
debug1: HPN Buffer Size: 65536 

Server listening on :: port 26. 

debug1: Bind to port 26 on 0.0.0.0. 
debug1: Server TCP RWIN socket size: 65536 
debug1: HPN Buffer Size: 65536 

Server listening on 0.0.0.0 port 26. 


In another session, let’s just do a keyscan to see what the server serves up and see that it indeed 
matches the public key that we know. 


ssh-keyscan -t rsa -p 26 localhost 
# localhost SSH-2.0-OpenSSH 6.6.1 hpni3vl11l FreeBSD-20140420 
localhost ssh-rsa 


AAAAB3NzaC1lyc2EAAAAFAL4a91UAAAEBAId3Qzp2kfa8CECP7x400CPw99szSfJIT6MnR 
NYLK2KUP/TTuMY 6qi 6Y2KKSaKyDHpJj 6BDPLQ4i+z535+N+iZ/ 


Let's create the user now to ssh in. In production, do the same pkcs15 key generation on the cli- 
ent’s hardware token. But for this example, we will use a traditional ssh key file. 


We create the user and add them to the sftp only group. We ask the user for their public key, and 
we place it in the directory /etc/ssh-26/authorized_ keys directory. 


No matching host key fingerprint found in DNS. 
Are you sure you want to continue connecting (yes/no)? yes 
Permanently added '[192.168.1.1]:26' (RSA) to the list of known hosts. 


Enter passphrase for key: 


192.168.1.1. 
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On the server, we check: 


About the Author: 


| oversee all things technical at Sentex Communications. My areas of inter- 
est are all things IP as in IPv4 and IPv6. Google is probably the best way to 
see what | am up to. These days | am interested in security as it relates to 
PCl, IDS/IPS, large scale logging and analysis etc etc. 


Specialties: Getting a happy meal out of a stone.... (old joke about making 
the best with what you have) Article Source: 
http:/www.tancsa.com/mdtblog/?p=73 
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Installing Windows 10 using VNC 
on FreeBSD 11 and Above 


by Trent Thompson 


This October of 2016 will be a special month for FreeBSD vir- 
tualization. Not only will the most recent release of FreeBSD 
be ready, but it will have been a year since UEFI booting in 
bhyve was announced via the FreeBSD-Virtualization Mail- 
ing List. At the time, bhyve did not have the ability to allow 
for any type of graphical console, outside of something run 
on the guest OS like RDP, VNC, or SPICE. Instead, bhyve 
used a serial console as a means to communicate with the 
guest operating system. 


Most UNIX operating systems these days have the ability to have a VT100-like console. If you 
have ever had to console into a Cisco Switch or UPS Battery using puTTY, you've probably en- 
countered something similar. Windows has a similar console called Emergency Management 
Services that allows you to do various administration tasks like change networking and the ablility 
to run CMD.EXE over the serial console. This EMS feature comes standard on official Windows 
Server Edition installation discs. It is not available by default, and must be enabled by using Win- 
dows Unattended XML file baked into the installation disc. At first glance this is a tedious process, 
but with the help of scripting, it can be easy to accomplish over and over again. If you want to en- 
able the EMS on a regular Windows Desktop OS, it even gets trickier as you need to copy the 
EMS files from a Server Edition disc over to a Desktop Edition. 


This changed in the Spring of 2016 with official support for UEFI-GOP, which allows bhyve to at- 
tach a graphical console to the guest OS. This means you can now install Windows the old fash- 
ioned way by clicking "Next" a bunch of times. Since these changes made it to the FreeBSD 
HEAD branch before the FreeBSD 11 release process began, these features are a part of 
FreeBSD 11 RELEASE. For this tutorial, we are going to assume that you are running at least 
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FreeBSD 11 RELEASE or newer. If you are using a FreeBSD derivative like TrueOS you should 
be fine as long as it is based off of FreeBSD 11 or newer. | will be doing this on a machine track- 
ing the 12 CURRENT HEAD branch, but running FreeBSD 11 should work just fine. This tutorial 
is split into three sections: 


¢ What bhyve is and how to set up your host operating system. 
¢ Obtaining your guest operating system and preparing for installation 
¢ Installing and using Windows 10 


If you want to follow along at home, you should already know a little bit about UNIX like operating 
systems, like Solaris or ones that use the Linux Kernel. In theory, if you have used a Linux Distri- 
bution in the past, you should be able to install FreeBSD and follow this tutorial. 


Preparing the Host Operating System 


The FreeBSD bhyve Hypervisor first appeared in FreeBSD 10 and has grown quite extensively 
since then. It is a relatively new hypervisor, being younger than Xen, Linux KVM, esxi, VirtualBox, 
and others. The bhvye hypervisor was also ported to Macintosh OS X as xhyve which is now 
used by Docker on Mac. The bhyve hypervisor consists of two main components: the VMM kernel 
module and the bhyve userland utility. There are other userland utilities like grub2-bhyve and bhy- 
veload that use libvmmapi, but we won't go over these in this tutorial. 


Before preparing your host, | suggest you read the FreeBSD handbook entry regarding bhyve 
here. Pay special attention to the sections regarding CPU compatibility and Section 21.7.1 Prepar- 
ing the Host. The bhyve hypervisor only works on certain models of CPUs, so be sure to check 
/var/run/dmesg.boot to make sure your CPU will run bhyve virtual machines. Once you have de- 
termined that your hardware can handle bhyve, we can start to prepare the host operating sys- 
tem's kernel and network configuration. As outlined in the handbook, we need to load the VMM 
kernel module first. You can do this by simply running kildload vmm with super user credentials, or 
by editing your /boot/loader.conf as to avoid having to load the VMM kernel module manually 
every time you reboot your host. Next we need to set up the networking on the host so the virtual 
machine can reach the internet. Since we are not going to set up any firewalling or NAT, the vir- 
tual machine will appear to be on the same network as the host in this situation. 


To do this, we are going to create a network tap device, create a network bridge, then attach the 
our network interface and tap to the bridge. This sounds complicated, but if you take it a step ata 
time, it's easier to understand. Before we begin, we need to see what our primary network inter- 
face is by running ifconfig. From my output, | can see that igbO is my primary network interface, 
as it has an IP address. Your network interface may be something like emO or something similar. 
If you are using WiFi, that is a bit more complicated, and involves creating a NAT and forwarding 
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traffic around. For the purposes of this tutorial, we won't be going into that. Instead we will deal 
with physical ethernet connections. Now that we know our interface, we can start by creating the 
network tap. | have multiple taps created already, so | am going to choose a higher number than 
O and number my tap tap42. You can choose any number you like, as long as it is not already in 
use. Only one virtual machine can utilize a network tap at a time. To create it, | run ifconfig tap42 
create. You should now see tap42 in your ifconfig output. 


Next, we need to tell the kernel to bring a tap device up when it is opened. This is so we don't 
have to run ifconfig tap42 up every time we start the virtual machine. We do this by running sysctl 
net.link.tap.up on open=1 with super user credentials. You can also set this in 
/etc/sysctl.conf so the change stays after reboot. Now we need to create our bridge. | am 
going to create a new bridgeO. You can create any bridge number you like. We create the bridge 
with ifconfig bridgeO create, and add our devices with ifconfig bridgeO addm igbO addm tap42. 
Note the use of igbO, this may be different depending on what your interface is. To finish things 
up, we bring the bridge interface up with ifconfig bridgeO up. You can refer to the handbook page 
on how to edit your /etc/rc.conf to make these network changes persist after rebooting. 


| have simplified this process by writing simple scripts to do the heavy lifting for me. If you take a 
look my GitHub repo YetAnotherBhyveScript or yabs here you can find the hostprep.sh script to 
create the bridge and enable the VMM kernel module. Be sure to edit the file before running so it 
matches your desired network configuration. Once hostprep.sh is run, you can setup the net- 
work for your guest by attaching it to the bridge you set up using prepyabs.sh. The outputs of 
hostprep.sh and prepyabs.sh are below: 
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kldload if tap 


kldload if bridge 


# Set sysctl 


sysctl net.link.tap.up on_open=1 


# Create bridge 


ifconfig ${bridge} create 


# Attach interfaces 


ifconfig ${bridge} addm ${iface} 


# Bring up bridge 


ifconfig ${bridge} up 


#!/bin/sh 


# Prepare host for running bhyve guest (v0.2) 


tap=tap42 


bridge=bridge0 


# Create the tap interface 
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Before diving into the installation, we still need to obtain a Windows Installation Disc and the cor- 
rect bhyve UEFI firmware. You can now simply obtain a copy of the UEFI binary by installing a 
package with a command like pkg install bhyve-firmware. Once the package is installed, a 
copy for the UEFI binary is dropped into /usr/local/share/uefi-firmware. To make things 
a bit easier, | tend to copy the BHYVE UEFI. fd firmware to my working directory. Since | am 
working in the directory ~/yabs | must run cp 
/usr/local/share/uefi-firmware/BHYVE UEFI.fd ~/yabs. Next we will need to down- 
load a Windows 10 ISO image from Microsoft. After following the directions on the page, select 
the 64-bit version. Here's where it can get tricky. If you are not using a GUI on your FreeBSD 
host, you will have to download the ISO from a browser on another computer, then use some- 
thing like scp to copy it over to the FreeBSD host. It is not as simple as using fetch to grab the 
ISO from Microsoft. Since my other host is a Macintosh, | can download via Chrome, then use 
scp to copy over to my FreeBSD host. Once you have copied over your Windows 10 ISO, put it 
into your working directory, in my case, ~/yabs. If you are on Windows, there are some scp cli- 
ents out there but | would use the FileZilla client instead. 


Next, we need to create the virtual hard drive that Windows will install on. We accomplish this by 
creating an empty file with truncate. Since the Windows System Requirements calls for at least 
20GB for the 64bit version, we need to create a 20GB or larger virtual hard drive. I'm going to 
give myself some room and create a 24GB drive with truncate -s 24G win10.img. Now we will go 
into the actual bhyve command we will run to start the installation. To simplify things, | created 
new yabs.sh shell script that will do this for us. Let's dig in and see how things work under the 
hood before we run it first, as we should anytime we download a shell script from the internet. 
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ram=2048M 
cpu=2 


disk=winl10.img 


media=Winl0 1607 English_x64.iso 


mediatype=cd 
tap=tap42 
fw=BHYVE UEFI.fd 
ip=127.0.0.1 
port=5901 


w=wait 


bhyve \ 

-c ${cpu} -m ${ram} \ 

-H -w \ 
0,hostbridge \ 
1,ahci-${mediatype},${media} \ 
2,ahci-hd,${disk} \ 
4,lpc \ 
bootrom,${fw} \ 
8,virtio-net,${tap} \ 
16,fbuf,tcp=${ip}:${port},S{w} \ 

-s 17,xhci,tablet \ 


S{name} & 


MAGAZINE 


Before we start the installation, we need to make sure we have a VNC Client ready to go. If you 
are on FreeBSD, you can look into the net/TightVNC port or package. If you are using a Mac, you 
cannot use the built-in VNC viewer, instead you must use another client, like RealVNC. Since 
there is currently no support for authentication to the VNC server, we don't want to open it to the 
outside world. This is why we chose 127.0.0.1 (localhost) to bind to. Of course, if you want to con- 
nect to it from another machine, we will need to set up port forwarding over ssh. Instead of manu- 
ally running something like ssh -L 5901:127.0.0.1:5901 -p4444 -N -f -l printf 192.164.42.24 we 
can just edit and run the script below, also included in yabs script collection. Remember, sshhost 
is the IP address of the host running bhyve. 


Once you run the tunnel.sh script or run the ssh manually, we can finally start bhvye to begin the 
Windows 10 install process. We can start it by either running ./yabs.sh as root, or sudo ./yabs.sh 
if you have sudo installed. Remember, bhyve won't automatically start with the wait options en- 
abled, so you must connect using your VNC client. The IP address to connect to is your localhost 
(127.0.0.1) and port 5901 in our case. Once connected, you should see the UEFI loader followed 
by the words Press any key to boot from CD... so press any key and begin your installation of Win- 
dows 10. If you have the right hardware, you should have no problems installing. | chose to install 
the Windows 10 Professional Edition with a Custom Install, since we are installing from scratch, 
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not upgrading from an earlier version of Windows. While the installation is running, we can use 
this time to download the Virtio from The Fedora Project so we can install the network drivers 
when the installation is finished. Without it, your Windows 10 virtual machine won't be able to use 
the internet. You can fetch this ISO file from your command line using something like fetch 
https:/fedorapeople.org/groups/virtvirtio-win/direct-downloads/stable-virtio/virtio-win.iso while in 
your working directory. 


Once you run the tunnel.sh script or run the ssh manually, we can finally start bhvye to begin the 
Windows 10 install process. We can start it by either running ./yabs.sh as root, or sudo 
./yabs.sh if you have sudo installed. Remember, bhyve won't automatically start with the wait 
options enabled, so you must connect using your VNC client. The IP address to connect to is 
your localhost (127.0.0.1) and port 5901 in our case. Once connected, you should see the UEFI 
loader followed by the words Press any key to boot from CD... so press any key and begin your 
installation of Windows 10. If you have the right hardware, you should have no problems install- 
ing. | chose to install the Windows 10 Professional Edition with a Custom Install, since we are in- 
stalling from scratch, not upgrading from an earlier version of Windows. While the installation is 
running, we can use this time to download the Virtio from The Fedora Project so we can install 
the network drivers when the installation is finished. Without it, your Windows 10 virtual machine 
won't be able to use the internet. You can fetch this ISO file from your command line using some- 
thing like fetch 
https:/fedorapeople.org/groups/virtvirtio-win/direct-downloads/stable-virtio/virtio-win.iso while in 
your working directory. 


Once your installation has moved over all the files, your virtual machine will attempt to reboot. 
Since there is no built in function in bhyve to reboot, it will just appear that your VM has shut 
down. We must start our virtual machine the same way we did before and the second part of the 
install will begin. You should see some loading screens and the virtual machine will reboot again. 
Start your virtual machine again to begin the final part of the Windows installation process. Once 
the loading screen is finished, you should be prompted to change some installation settings and 
create a new user. Once you confirm your settings, you will be taken to another loading screen. 
Once it's done, you should see your brand new Windows Desktop! We are almost done at this 
point. Remember, you must install the Virtio Net Drivers in order to have an internet connection. 
Shut down your virtual machine from over VNC and edit your yabs.sh script to attach the 
virtio-win.iso disc with something like media=virtio-win.iso if your Virtio disc is in your working di- 
rectory. Once you have started the virtual machine again, you can right click on the Windows 
Logo in the lower left hand part of the screen, and click "Device Manager." You should now see a 
device with a yellow triangle called "Ethernet Controller." Right click on that and select "Update 
Driver" then "Browse my computer for driver software." Here you can tell Windows to search your 
CD drive and all of its sub directories for the driver. 
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That's it, you should now have a Windows 10 virtual machine with access to the internet! Bcause 
VNC can be a bit sluggish at times, | like to enable Microsoft Remote Desktop (RDP) instead. Mi- 
crosoft puts out Microsoft RDP apps for a variety of platforms, including Windows, of course, but 
also Mac OS X, iOS, and even Android tablets. You can even send and receive files through RDP, 
as well as listen to and send audio to the virtual machine over RDP. If you are on FreeBSD, you 
can also check out the net/freerdp port to use RDP. If the yabs.sh script isn't your style, you 
can always write your own version, or you can try out one of the many bhyve managers/wrappers 
out there. There is Michael Dexter's vmrc, one of my favorites, Allan Jude's bhyveucl, Matt 
Churchyard's vm-bhyve, my side project iohyve, and its recent fork from Justin Holcomb chy- 
ves. Each uses different methods and techniques to store and manage bhyve virtual machines. 
All are really great projects that should be able to get you off the ground. Those are just the tip of 
the iceberg, if you look on GitHub, you can find some more bhyve projects. As always, if you think 
you found a bug, or if you are having problems, don't hesitate to ask questions! 


| always like to end these posts thanking some people who have helped me or who are just doing 
awesome work that is inspiring. For this post, I'd like to thank Kris Moore of the TrueOS project, 
and Michael Dexter of iXSystems for all of the hard work they put into the BSD community every 
day. 


About the Author: 


Trent Thompson is a security engineer by day, but a FreeBSD and virtualiza- | 
tion hobbyist by night. When not doing BSD related activities, you can find 
him tinkering with something else technical around the house, like musical 
synthesizers, model rockets, or micro-computers from the 1980's. You can 
never have too many hobbies. 


Article Source: htto:/pr1ntf. xyz 
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OpenBSD 6.0: Why and How 


by Derek Sivers 


The only operating system | use on my computers is not 
Mac, not Windows, and not even Linux. It's OpenBSD, and | 
love it so much. 


Since OpenBSD 6.0 was released today, | figured | should 
say a little something about why | love it, and how you can 


try it. 

It's probably not for you 

It's not for beginners. Beginners should use Ubuntu. 

It's not for people who want to click a button and have the computer hide the details from you. 


If software bloat doesn't bother you — if every new Mac/Windows/Linux release you say, “Bring 
on the features! The more the better!” — it's not for you. 


But if you're experienced, like to “look under the hood”, and prefer software that does the mini- 
mum necessary, OpenBSD is for you. 


What is it? 
It's like Linux, but has different goals. 


It's known for its focus on security. But, like a well-engineered house will also be earthquake- 
proof, you don't have to be paranoid about earthquakes to appreciate great construction. To me, 
the security features are just a side-effect of great coding. 


OpenBSD comes with a secure minimal firewall, webserver, mailserver, and an optional graphical 
desktop. So if all you want is a few of those things, you do the default install, tweak one config 
file, and you're done. 
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Why OpenBSD instead of Linux? 


It's uncompromising. It's not a people-pleaser or vendor-pleaser. Linux is in everything from An- 
droid phones to massive supercomputers, so has to include features for all of them. The 
OpenBSD developers say no to most things. Instead of trying to make it do more, they keep it fo- 
cused on doing what it does with more security and reliability. 


They review and remove code as often as they add. If something is unused, unmaintained, or un- 
necessary, they'll axe it. If it's unwieldy, they'll make a small simple replacement. For examples, 
see doas, OpenSMTPD, httpd, and LibreSSL. This is great for security, too. The more code, the 
more chance of a bug that could compromise your entire computer. The less code, the better. 
Each new release seems to be getting leaner by removing old cruft. No other operating system 
does that. 


Great documentation is a top priority. The built-in man pages are amazing. So if you're stuck on 
anything, searching the man pages on your own computer is going to give you a better answer 
than searching Google. (This makes it nicer to work offline, too.) 


The installers are amazing. The initial installation takes like five minutes. Hit [Enter] to the de- 
faults, make your username and password, and it's ready to go. Then the software installer is 
ideal, too. Just pkg_info to search for something and pkg_add to install it in seconds. (Which also 
installs all of its documentation, too.) 


Everything is rock-solid and just works. Hardware | couldn't get working in Linux just works on a 
first try with OpenBSD. And because they don't stay cutting-edge, keeping a cautious pace, it 
keeps working and doesn't break. The whole system is carefully planned and consistent, instead 
of a hodge-podge of bits and pieces. 


It's all free and run by helpful volunteers. If you searched ports, but some application you need is 
missing or out of date, just contact the maintainer and offer some assistance or money to help get 
it updated or added. I've sponsored the OpenBSD port of Elixir, Erlang, Ledger, and Qutebrowser 
(a great web browser you should try.) | also donated $1000 to the OpenBSD foundation to sup- 
port their ongoing work. 


Now, how? 
This is where | could say, “So go to openbsd.org and give it a try! Bye!” 


But since I've tweaked a great setup over the years, | wrapped up some of my instructions and 
config files for you here: 


¢ If you want to play with OpenBSD on a public-facing server, | recommend Vultr. See “Installing 


OpenBSD 6.0 on Vultr.” 
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¢ Or if you prefer Digital Ocean instead, that's harder, but possible. See “Installing OpenBSD 6.0 
on Digital Ocean.” 


¢ And once you've got it installed, type this command ... 


¢ ftp https:/sivers.org/file/60.tgz; tar xfz 60.tgz 


¢ ... and you'll have my personal shortcuts | use for setting up my OpenBSD 6.0 desktop. 


About the Author: 


Derek Sivers: programmer, writer, avid student of life. | make useful things, and share what 
| learn. 


I’ve been a musician, producer, circus performer, entrepreneur, TED speaker, and book 
publisher. 


| started CDBaby and HostBaby, until | felt done, then gave them away. My audio/book 
about it compresses everything | learned into a one hour read. 


Now I’m a writer, programmer, student, and | guess interviewee. 


I’m fascinated with the usable psychology of self-improvement, business, philosophy, and 
culture. | love finding a different point of view. 


I’m home in New Zealand. It’s winter. Hail and sideways rain. 
I’m editing all my old blog posts, in preparation for transcription and recording. 


My main act of public service is answering emails from strangers, so feel free to email me: 
derek@sivers.org 


... but | have to admit I’m really bad at giving advice on big giant questions about life and 
career, so please keep it succinct or specific. 


If my activities or priorities change, I'll update this page. Last update was September 9 
2016. 


The article comes from: https://sivers.org/openbsd 
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HOW IMPORTANT IS YOUR DATA? 


Years of family photos. Your entire music 
and movie collection. Office documents 
you've put hours of work into. Backups for 
every computer you own. We ask again, how 
important is your data? 


NOW IMAGINE LOSING IT ALL 


Losing one bit - that’s all it takes. One single bit, and 
your file is gone. 


The worst part? You won't know until you 
absolutely need that file again. Example of one-bit corruption 


THE SOLUTION 


The FreeNAS Mini has emerged as the clear choice to The Mini boasts these state-of-the- 
save your digital life. No other NAS in its class offers art features: 

ECC (error correcting code) memory and ZFS bitrot 

protection to ensure data always reaches disk sh tustaemtcecriniaaliigeaialll ananemaal 


. . . - Up to 16TB of storage capacity 
without corruption and never degrades over time. 


+ 16GB of ECC memory (with the option to upgrade 
to 32GB) 


No other NAS combines the inherent data integrity + 2x 1 Gigabit network controllers 
+ Remote management port (IPM) 


+ Toolless design; hot swappable drive trays 
encryption. No other NAS provides comparable power - FreeNAS installed and configured 


and flexibility. The FreeNAS Mini is, hands-down, the 
best home and small office storage appliance you can 
buy on the market. When it comes to saving your 
important data, there simply is no other solution. 


and security of the ZFS filesystem with fast on-disk 


systems 


FREENAS 


CERTIFIED 
STORAGE 


With over six million downloads, 
FreeNAS is undisputedly the most 
popular storage operating system 
in the world. 


Sure, you could build your own FreeNAS system: 
research every hardware option, order all the 

parts, wait for everything to ship and arrive, vent at 
customer service because it hasnt, and finally build it 
yourself while hoping everything fits - only to install 
the software and discover that the system you spent 
days agonizing over isn’t even compatible. Or... 


MAKE IT EASY ON YOURSELF 


As the sponsors and lead developers of the FreeNAS 
project, iXsystems has combined over 20 years of 
hardware experience with our FreeNAS expertise to 
bring you FreeNAS Certified Storage. We make it 
easy to enjoy all the benefits of FreeNAS without 
the headache of building, setting up, configuring, 
and supporting it yourself. As one of the leaders in 
the storage industry, you know that you're getting the 
best combination of hardware designed for optimal 
performance with FreeNAS. 


Every FreeNAS server we ship is... 


» Custom built and optimized for your use case 

» Installed, configured, tested, and guaranteed to work out 
of the box 

» Supported by the Silicon Valley team that designed and 
built it 

» Backed by a 3 years parts and labor limited warranty 


http://www.iXsystems.com/storage/freenas-certified-storage/ 
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As one of the leaders in the storage industry, you 
know that you're getting the best combination 

of hardware designed for optimal performance 

with FreeNAS. Contact us today for a FREE Risk 
Elimination Consultation with one of our FreeNAS 
experts. Remember, every purchase directly supports 
the FreeNAS project so we can continue adding 
features and improvements to the software for years 
to come. And really - why would you buy a FreeNAS 
server from anyone else? 
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FreeNAS 1U 

+ Intel* Xeon* Processor E3-1200v2 Family 

+ Up to 16TB of storage capacity 

+ 16GB ECC memory (upgradable to 32GB) 

+ 2x 10/100/1000 Gigabit Ethernet controllers 
+ Redundant power supply 


FreeNAS 2U 
+ 2xIntel* Xeon* Processors E5-2600v2 Family 
+ Up to 48TB of storage capacity 
+ 32GB ECC memory (upgradable to 128GB) 
+ 4x 1GbE Network interface (Onboard) - 
(Upgradable to 2 x 10 Gigabit Interface} 
+ Redundant Power Supply 
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How to Connect Pycharm to Debug 
a Remote Docker Container Using 
the Containers Remote Interpreter 
in BSD 


by Miguel Tavares 


So for a little background on my activity, I’ve been working 
with Python and Stackless Python on Django MVC’s on sev- 
eral BSD servers and using PyCharm as Python IDE to de- 
velop on. 


Problem Definition 


The main problem that we came across when using a BSD server for development with Docker 
and Pycharm was trying to use the PyCharm Remote Debug Functionality that links directly on the 
remote server (docker container). BSD Jails could be used, nevertheless, we wanted to use a port 
of Docker (httos://github.com/kvasdopil/docker/blob/freebsd-compat/FREEBSD-PORTING.md) as 
an attempt to continue with the agile development method. 


With the below, it's intended to use direct API connection against the remote BSD docker server 
against your PyCharm IDE to allow debugging functionality on the fly. 


Solution 


So, mainly, if all that’s needed is to debug code that is launched inside the docker container, | 
think the best and fastest approach is to: 


1st - (Mandatory) - Use Professional Edition, as the Free version doesn't allow remote server de- 
bugging on docker. 


This is supported by the following compatibility Matrix of PyCharm features: 
PyCharm Matrix httos:/www.jetbrains.com/pycharm/features/editions_comparison_matrix.html 
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2nd - Using PyCharm's Debug Server Feature. For me, it’s a less troublesome way than access- 
ing remote interpreter via SSH, and this is a personal opinion which varies from person to person 
and deals with experience of usage. 


The drawback of using this solution that | find a bit annoying is that for auto-complete and all this 
kind of stuff you should have a copy of containers interpreter and mark it as project interpreter 
(then works for auto-complete function but not sure if it's possible to debug code from 3rd party 
libs in such cases) or make the containers interpreter files visible to PyCharms (not tested at all). 


Again, note that Python's Debug Server Feature is PyCharm Professional Edition Matrix support. 
What should be done for debugging via the Python’s Debug Server? 


2.1 - There is a need to map remote mountpoints or paths to the local PyCharm projects 
path. 


With the above in mind, there is a need to make sure that the directory with your project is added 
into the container. It should look like this in the docker configuration yml file. 


After adding it to the docker-compose file, let’s go to the next step. 


2.2 - Copy the file pycharm-debug-py3k.egg (If your Python version < p3k; then copy 
pycharm-debug.egg) from the directory where PyCharm is installed on the host to directory inside 
the container, which should be the container $PYTHONPATH. (set) should show So: 
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As shown above on the staging server, there is no 
pycharm-debug.egg| | pycharm-debug-p3k.egg in this case, hence installed on the server 
is 3.5 version of the Python interpreter. 


The above file can be found inside PyCharm installation directory and has to be copied to the 
server where you want to use the debug feature. :) 


If you’re running PyCharm in a non Darwin (Mac/BSD) environment -> C:\Program Files 
(x86) \JetBrains\PyCharm 2016.2.2\debug-eggs or the 64 bit path C:\Program 
Files\JetBrains\PyCharm 2016.2.2\debug-eggs 


BSD -> normally /Applications/PyCharm. app/Contents/pycharm-debug.egg 
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Each file is around 900 KB. 


2.3 - Create RUN/Debug configuration for launching Python debug server on the Host as de- 
scribed at "To Configure a remote debug server" section of JetBrains Docs 


Port is any host port of your choice, but the IP is the address at which the host is accessible from 
the container. 


On the server, please execute the following: 


Also, don’t forget to specify the path mappings between projects path at the developer’s host and 
projects path at the container docker-compose.yml file. 


2.4 - Launch this configuration, for example, via Debug button, right from Run one in PyCharm. 


2.5 - Create a Python script that will launch your project and add the following code for debug ini- 
tialization as first lines of this script. 


(Make sure that python-debugg-p3k.egg is in $PYTHONPATH, or this code couldn’t import py- 
devd. thus the reason why you guys can't trigger the Debug using remote interpreter with 
DOCKER in PyCharm “ _* ...) 


MAGAZINE 


BSD 


76 


2.6 - Finally, you will be able to set breakpoints and launch your application from the host, in the 
container via the created script. For example: 


On start, your launching script will connect to Python debug server, which is running on the devel- 
oper’s host, and stop on breakpoints set. Debugger features will be available as usual... 


Outcome result is as follows: 


[& data:text\htm|, chromewebdata fra data:text\ html, chromewebdata 


fig root@nexchange-staging: /usr/bin 


Debug: dj nexchange-release @ nexchange-release JavaScript 


mm Debugger fim) Console +* b +=» Ea Bi 


Schars 4:30 LFS UTF-8: %& 


A) fam) FL BB ENG 03:37 


Miguel 


Mail - stryng@gmail.com / mtavares@itgatedev.com 
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USING FREEBSD AS A FILE 
SERVER WITH ZFS 


In this course, we will learn how to use the current ZFS capa- 
bilities to help us build a home file server using FREEBSD 
10.3. 


Course launching date: 04th of July 2016 
What will you learn? 

¢ ZFS administration 

« ZFS concepts and features 

What skills will you gain? 

¢ ZFS administration basics 

What do you need? 

¢ FREEBSD 10.3 with root privileges 

¢ At least 10 GB free space 

What should you know before they join? 


¢ Basic FREEBSD administration knowledge 


WORKSHOP 


Module 1: FREEBSD and ZFS 

Introduction to ZFS under FREEBSD 

e Why ZFS on FREEBSD? 

¢ ZFS features and concepts 

Module 2 title: ZFS Administration 

Module 2 description: Cover the commands and features to administrate ZFS volumes 
¢ Create, destroy, list pools 

¢ Zpools: single, mirrored, raid 

e Understand ZFS properties 

Module 3 title: Putting it all to work: Hosting our files using ZFS 


Module 3 description: With the previous acquired knowledge, create a plan on how to or- 
ganize our files and pools to host our files. 


¢ Set ZFS properties based on the content of the files to host 
¢ ZFS tuning 


¢ Create a File Server using our pools 


https://bsdmag.org/course/using-freebsd-as-a-file-server-with-zfs-2/ 


marta.ziemianowicz@bsdmag.org 


Be curious, be brave, there’s always 
a sign guiding you towards the right 
direction. 


Emile Heitor, CTO and Co-owner of NBS Sys- 
tem, and Head of the Research & Expertise De- 
partment at Oceanet Technology 


by Marta Ziemianowicz, Marta Sienicka & Marta Strzelec 


[BSD Magazine]: Hello Emile, how have you been doing? Can you introduce yourself to 
our readers? 


[Emile Heitor]: I’m great! Thanks for reaching out. | usually go by the nickname “iMil’, I’m 42 
years old, I’m Spanish and French, | live in Valencia Spain, and am often in Paris where my com- 
pany is located. I’ve been involved in Open Source for 20 years and fell in love with the idea of 
Free Software at first sight. To be honest, the first time | installed a free operating system (SLS 
Linux for the record https://en. wikipedia.org/wiki/Softlanding_Linux_System) | spent quite a while 
trying to find out the piece of license saying that the software would stop working within 60 days :) 


Since then | write code, articles, patches, and use almost exclusively FOSS for both ${WORk} 
and ${HOME}. | discovered the BSD world first by using FreeBSD 2.2.2 in 1997, then NetBSD 
1.3 followed by OpenBSD 2.4. The philosophy behind NetBSD really got me early and I’m an ad- 
vocate for that system since then.nity. On the other hand, some communities have not been very 
responsive, which kills participant’s motivation. 


Mr. Senko is a start-up that addresses these problems by providing long term support and devel- 
opment for various open source libraries. It's like having your own go-to open source fix-it guy! 


[BSD Mag]: You haven’t been there long, but can you tell us something about the company 
you are working for: Oceanet Technology? 


[EH]: Actually, Oceanet Technology acquired my previous company, NBS System. 
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The latter is now a division of Oceanet Technology focused on our specialties: Security, Cloud 
Computing and FOSS oriented hosting. 


OT (Oceanet Technology) is deeply committed to the Internet life and eco-system, so we clearly 
were on the same page, we needed more manpower and a larger portfolio and they were inter- 
ested in our Secure Hosting skills, our merger was only natural. 


[BSD Mag]: What does Head of Research and Expertise Department do? 


[EH]: This is a new department we thought about for quite a while. IT and particularly hosting is 
deeply changing. A previous interview with Amazon’s CTO that BSDmag did a couple of weeks 
ago explains it very well; we’re witnessing a complete paradigm change, services on Internet are 
not about system administration anymore, and | believe the sysadmin role is going to change 
deeply as time goes by. Nowadays, there’s no escape from the DevOps movement, or more pre- 
cisely, infrastructure as code. This is where my department comes into the game, the RED team 
follows complex infrastructure needs, usually Cloud matters, and brings the expertise companies 
might lack; from hybrid infrastructure design to automated deployments or seamless auto-scaling, 
we capitalize on our experience to setup solid, sustainable platforms for demanding customers. 


[BSD Mag]: Is Oceanet Technology using open source software? 


[EH]: Lots of it. But not only do we “use”, we also write and contribute to Free Software, one of 
our major products, an nginx Web Application Firewall called naxsi is fully Open Source and avail- 
able on GitHub hittps://github.com/nbs-system/naxsi, along with many projects you could find on 
our GitHub page hitps://github.com/nbs-system/, we also participated in numerous FOSS pro- 
jects, from simple problem reports to patching or complete parts written from scratch. NBS Sys- 
tem is deeply involved in FOSS, it’s part of our DNA since day 1. 


Some people still ask why we “donate” all that software for free, well it’s not like that, first there’s 
the community workforce, but also the marketing power of an Open Source project, it dramatically 
improves your visibility thus your SEO. Not to mention the need for us to contribute to a world that 
made our work possible and exciting. 


[BSD Mag]: You have been a developer in NetBSD Foundation for over 7 years. What have 
you been working on? 


[EH]: While | worked on different areas, packaging has always been my #1 interest. | find packag- 
ing to be a vast and demanding area, each package requires special attention. You might find 
yourself patching a software written in a language you didn't learn in order for the software to 
build on many platforms as pkgsrc has inherited the cross-platform philosophy from NetBSD, then 
interact with “upstream” (probably the software author) for integrating your patches to his work. 
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This is, IMHO, how FOSS should work, contributing, interacting, making software better by adding 
many minds into the game. 


I'd say my main contribution to NetBSD is the pkgin package manager. Pkgin can be considered 
as a frontend to the venerable pkg_install (pkg add, pkg_delete...), pretty much like apt is a fron- 
tend to dpkg, pkgin resolve dependencies for seamless installation, upgrade or package removal. 
That might seem a simple task but trust me it is a headache :) 


An interesting point is that, like pkgsrc itself, pkgin is portable and can be used on many plat- 
forms, for example, the Joyent company made pkgin their default package manager for their 
SmartOS installations. Pkgin received massive contributions from Joyent, which made it more ro- 
bust httos:/www.perkin.org.uk/posts/reducing-ram-usage-in-pkgin.html. 


[BSD Mag]: So what’s the most difficult/frustrating area? 


[EH]: Difficult and frustrating are two different items :) The difficulty behind pkgin, as with all soft- 
ware whose goal is to make user’s lives easier, is to keep simplicity in mind and not fall into the 
over-engineering trap, you know, “Simplicity is the keynote of all true elegance” (Coco Chanel). 
This is even truer from the developer perspective, and here we’re touching a FOSS developer is- 
sue: those of us who are not paid for the software we release and do this only as a passion, or 
sometimes just as a hobby, have to compose between personal, professional and community life. 
To be honest, at some points | soent many months without touching a single line of code because 
of professional or personal matters, it is then crucial to produce well documented and clear code 
so you don't feel overwhelmed when the time comes you can get back to it. Moreover, this helps a 
lot getting more contributions as potential developers can find their way through thousands lines 
of code. A hint for young developers, while this state of mind might seem foolish and unnecessary, 
think about the image you'd like to propagate. Nowadays, recruiters look more and more at your 
real skills, and it’s a well-known fact that your GitHub repositories are as valuable as your resume, 
clean code proves a well-structured mind. | myself often judge candidate’s skills by reading some 
of their public work; that’s not a legend, it happens. 


Now on the frustrating area, I'll try myself not to frustrate anyone ;) First, as | said earlier, the vast 
majority of my FOSS work is done on my spare time, nights and week-ends, and | feel | don’t 
have enough time to do what needs to be done. | hate the idea that my pairs at NetBSD might 
think | am a lazy guy who just don't really care, | am very honored to be part of that venerable 
Free UNIX project, one of the oldest, and IMHO one that carries the most beautifully UNIX origi- 
nal’s philosophy, so it’s kind of frustrating not to be able to give it more of my time. Sometimes | 
wish I'd won the lottery and could spend all my time contributing to FOSS projects... 


On the judgmental topic, | am really sensitive to what people say about my work, and sometimes | 
must say it hurts when | read sentences like “pkgin sucks”, most of the time because people tend 
to mix up pkgin and packages themselves, or because some find it a useless addition. 
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That's more a personal issue, | have learned to let go and just carry on, | must accept that it’s an 
impossible task to satisfy everyone on the planet. 


[BSD Mag]: You live in two different countries (France and Spain). Did you notice any differ- 
ence in approach to open source in them? 


[EH]: Not the way | thought actually. Because of Spain’s economic status, | naively believed that 
Open Source would be stronger there, yet | find it to be less developed than it is in France. This 
might be a wrong feeling related to the fact that I’m only here since July and lack human network- 
ing, but | can’t seem to find good Spanish IRC channels or online user groups, there are a couple 
of FOSS related websites but definitely not that much. | know there are a few NetBSD developers 
in Barcelona, but in comparison to France, numbers are very low. Again, don’t take my word for 
ultimate truth, that might just be a lack of knowledge. On the other hand, France has a strong and 
large community, a huge amount of online resources, and numerous FOSS developers. I’ve been 
part of it pretty much since day one, when the industry laughed at us, young “Free Software ideal- 
ists’, we were then told our utopia would never come true, well, guess who’s laughing now ;) 
France has been deeply versed in Free Software for quite a while, mainly due to a very solid com- 
munity that’s been fighting since the 90’s for the movement to acquire its actual pedigree. 


[BSD Mag]: Is there any reason why you decided to be part of NetBSD Community? Why 
not other BSD projects? 


[EH]: As always: all is matter of personal choices and taste. What | truly loved in NetBSD was the 
way they looked at computing, the project was meant to be portable from the very beginning, and 
the code had to be as clean as possible in order to easily be adapted to other platforms. Take the 
802.11 stack, we have standards, methods, it’s not chaos, if you are to write a Wireless driver for 
NetBSD, there are rules, and from these rules you'll be able to produce a standard driver much 
more easily than you’d do in a less controlled environment. I’ve always liked the idea of portability 
and reusability, so | quickly found NetBSD to be my anchor. But I’m not NetBSD-exclusive, | lead 
a French Free Unices support group, The GCU-Squad, composed of many contributors to 
NetBSD, FreeBSD, OpenBSD, DragonFlyBSD and even GNU/Linux. We often share ideas or 
even code. For example, Baptiste Daroussin (bapt@FreeBSD), FreeBSD’s pkgng creator, is part 
of that community and it is a little-known fact that pkg actually started as a pkgin fork during a 
pkgsrcCon in Paris! At that time, we thought FreeBSD ports and NetBSD pkgsrc were close 
enough to share a big portion of the code but it turned out to be counter-productive, so Baptiste 
started again from scratch but using pretty much the same ideas and tools. 


| also use FreeBSD as a workstation at ${DAYJOB} and GNU/Linux for laptops that can’t run any 
BSD UNIX. | tend to keep a close eye on various technologies not to jail myself on a dogmatic nor 
narrow view. 
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[BSD Mag]: How often do you meet people in the open source community who do have 
that narrow view on what’s good and proper? 


[EH]: Well... way too often. But you know, that specific world is full of egos, | myself probably do it 
more than | should, nevertheless | try to keep a low profile and keep in mind that there’s always a 
smarter person. As individuals, we all have a precise idea on how things should be done and 
sometimes can’t stand how some people did it the other way around. | would say there are two op- 
tions, the first one, more constructive, is when you don’t agree with a design or technologica 
choice and try to bring an insightful point of view, best case scenario you come up with answers 
instead of just being sarcastic or even mean (read: troll). The second scenario is harder, when 
you fully disagree with the design and the counterpart sticks to its original idea, whether it is right 
or not (from your perspective), and finally, the design you disagreed with is widely adopted and 
you have to deal with it, learn it, whether you like it or not. For me, that’s what's happening with 
technologies like systemd or docker. 


[BSD Mag]: As a Freelance Journalist, what do you like to write about the most? 


[EH]: Most of my articles are based on real-life experiences. | like to dig in new subjects, under- 
stand their philosophy, and then explain it to people. Most of my recent articles are about ad- 
vanced system administration, orchestration, and well, DevOps. But | also wrote quite a lot about 
NetBSD; with the NetBSDfr user group that | am part of, we wrote a series of articles talking about 
history, usability and how to contribute, | believe this made NetBSD a bit more popular in France. 
I’m also fond of UNIX history, | could tell it 100 times in a row, one of my favorite article subjects 
was how to setup an ancient 2.11BSD UNIX with a PDP11 emulator, bring TCP/IP to it and joining 
IRC :) 


All articles are available online for free here 
http://connect.ed-diamond.com/auteur/view/9415-heitor_emile_imil but written in French, sorry. 


[BSD Mag]: Your company Cloud at NBS System was merged with AWS? How do you feel 
about it? What do you think about AWS? 


[EH]: A wide subject. Two years ago, our customers put a lot of pressure on us to be able to man- 
age their platforms not only in our own cloud but also in AWS, and as the demand was growing, 
we decided to embrace the movement. But we didn’t want to only “use” AWS, we wanted it to be 
part of our orchestration system, in short, we had the idea that an Amazon Region should be noth- 
ing more than an additional datacenter for us. So we did a couple of months of R&D to adapt our 
information system to EC2, so we could deploy seamlessly on our own Cloud or on AWS at the 
client request. It turned out to be a huge win. We adapted our secure hosting methodologies and 
mechanisms to EC2 so we were able to guarantee the same security level on both worlds and 
suddenly found ourselves deploying massive infrastructures in Australia and United States just 
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That said, how | feel about AWS should be clear, | find it amazing. Amazon changed the world of 
hosting as we knew it, the way you interact with resources is incredibly well designed, making it 
possible to put in place complex platforms from your chair, no more server racks, no more storage 
hassle, just code and brain juice. 


| must say I’m a bit worried that, soon, system administration as we know it will no longer exist; 
I’m not worried because plugging RJ45 is the most rewarding task, but because | feel younger 
generations might forget what a datacenter is made of. Pushing it further, | fear that the very 
meaning of an operating system will make little sense, think about serverless hosting, | already 
am dealing with customers that only push code to AWS Lambda and trigger it through an API gate- 
way, they don’t know what the underlying operating system is, and honestly, they don’t care. This 
saddens me a bit... 


[BSD Mag]: Are there any challenges your company, Oceanet Technology, is facing at the 
moment? 


[EH]: Well, this is the perfect transition; IMHO, the main challenge that’s upon us is the paradigm 
change. The very nature of a hosting and managed services company is about to be shaken off, 
we need more developers that are capable of thinking out of the box and know what a system is 
made of, a very rare resource nowadays if you ask me. It’s not just about setting up a web server 
anymore, but how do you plan your infrastructure for continuous integration and volatile re- 
sources. 


[BSD Mag]: Any plans for the future? 


[EH]: Regarding my personal and professional life, | just moved to Spain with my wife and dog, 
and I’m making my new department at OT prosper and flourish, the future is right now for me! 


Regarding FOSS and NetBSD in particular, I’d want it not to become obsolete and to embrace the 
world of dematerialized IT that’s growing. By its clean, secure and small footprint essence, | am 
convinced that NetBSD has a bright future in many areas, for example in the infamous Internet of 
Things world, we surely need more visibility on such matters. On an even more trendy topic, | 
started a container-like project aimed at mimicking some of Docker’s features on NetBSD and 
Mac OS xX, it uses UNIX venerable chroot capabilities and it’s available on GitHub 
https://github.com/NetBSDfr/sailor. \t does what | wanted it to do initially, to isolate services within 
a minimalistic system, but | might make it grow if more interest is shown for the project. 


While it’s not making the headlines, NetBSD has unique features that are yet to be more known in 
the world of today’s virtualization, in particular, | couldn't encourage your readers enough to have 
a look at Antti Kantee’s fabulous http:/rumpkernel.org/ project. 
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[BSD Mag]: Do you have any piece of advice for our readers? 


[EH]: For the younger ones: be curious, be brave, read, understand, doubt is not a weakness, it 
makes you think clearly, stick to your desires, follow your heart and look around you, there’s al- 
ways a sign guiding you towards the right direction. Yes that’s a bit personal, but | truly believe it 


) 


Thank you for those insightful questions, it’s been a pleasure answering them. 


About Emile: 


Emile “iMil' Heitor was once an electronic mu- | 
sic DJ who's been kidnapped and brain- } 
_ washed by Open Source ninjas 20 years ago, 

leaving him very little brain space to compose ¢ 
and party; instead, he became a Free Soft- i 
ware evangelist, Cloud Computing expert, Soft- { 
ware and Infrastructure designer, perversely | 
joining both his work with his passion so that } 
he's constantly possessed by the need of i 
learning more and cursed with the impression 


of knowing nothing. 


Oceanct 


86 


WV? 
UO 


Rob’s COLUMN 


With the rapid expansion of the Internet Of Things (loT) 
where does the responsibility lie for good design, safety 
and security? Will manufacturers step up to the plate and 
take security seriously or will it ultimately be down to the 
consumer to decide where to draw the line? 


by Rob Somerville 


Technology has a nasty habit of rising on a 
sea of progress and being adopted in the 
most obscure areas whilst the security risks 
remain hidden from the end user. Five years 
ago, the Department of Veteran Affairs 
tracked over 170 medical devices that were 
infected with malware. Whilst many positive 
steps have been taken to ameliorate the risks, 
the concept that a miscreant could interfere 
with a heart monitor, infusion pump or pace- 
maker takes us into a dark area that science 
fiction writers of 50 years ago would have con- 
sidered fantasy. Like the crisis surrounding 
the Millennium Bug, we will manage to work 
around the issue, yet at the same time the 
core problem is so intractable the only solu- 
tion is just that — a work around, a patch, a fix. 
The author is well aware of systems that 
could not be fixed during that era, and the 
only cure was to literally roll back the clock, 
hoping that by the next time the critical date 
deadline approached either a) someone re- 
members to reset the clock again or b) the kit 
has been decommissioned and replaced with 
something more robust from an engineering 
perspective. Thankfully, the human race is 
very adaptable and unless some cataclysmic 
crisis descends upon us we normally adapt 


well. However, as an engineer | always feel 
rather uncomfortable about “unknown un- 
knowns’ especially where the risks could lead 
to injury, suffering or indeed death. While | ap- 
preciate that walking outside my front door in- 
volves an element of risk, and as a mortal be- 
ing | will inevitably meet my end one day, I'd 
prefer to be aware and in control of the risks. 
Flying on a commercial airliner is one thing, 
getting a lift home from a colleague who has 
been drinking is another. But what if the col- 
league has smoked some weed, taken some 
cocaine or some other drug that is not immedi- 
ately obvious? 


There seems to be two different classes of loT 
devices — those whose major function is to act 
as a computer or processor and those that 
have Internet connectivity bolted on for acces- 
sibility and connectivity purposes. The former 
devices have no excuse for any fallibility when 
it comes down to security, as the right choice 
of operating system, kernel design and encryp- 
tion should be baked into the design right 
from the start. The problem with these devices 
is in the patch cycle, where the manufacturer 
wants to increase functionality (or possibly 
even security) by installing a revised software 


BSD 


MAGAZINE 


Rob’s COLUMN 


version remotely. | would argue that such up- 
dates should really be a return to manufac- 
turer affair, where the process is strictly con- 
trolled and monitored. After all, if a manufac- 
turer can push an update, or a device pull 
one, an accomplished hacker can achieve the 
same result if they can circumnavigate the se- 
curity controls in place. This could be a posi- 
tive revenue stream for the manufacturer, if 
you want the additional functionality, we will 
charge you for it. Conversely, if we have found 
a security hole, we launch a product recall 
and install free of charge. A possible attack 
vector has been eliminated, and unless the de- 
vice is so poorly designed that it can be 
turned into the part of a botnet by a remote ex- 
ploit, the risks are low. 


The other type of devices are a more difficult 
proposition. Quite possibly any software is 
deeply embedded and while the physical 
method of update might be via a thumb drive 
of a field service engineer, the underlying intel- 
ligence of the firmware may not be sufficient 
to even support basic encryption. A good ex- 
ample of this is the infra-red remote keys for 
cars. An enterprising hacker / thief discovered 
that by using a programmable TV remote con- 
trol, they could capture the IR stream wander- 
ing around a car park, and therefore gain ac- 
cess to the vehicle. While this problem has 
been addressed by the manufacturers, any in- 
secure communication is strictly verboten in 
this age of packet sniffers and powerful mo- 
bile devices. 


The key issue here is that all lol devices must 
be designed with security and encryption in 
mind. The early mobile phone networks were 
purely analogue, and many stores sold receiv- 
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ers that could intercept these calls to the gen- 
eral public. Some devices were so poorly de- 
signed that even a domestic radio could pick 
up the transmission if you knew where to look. 
This inherent weakness has largely died out 
with the widespread adoption of encrypted 
digital networks, but it would be naive to think 
this vector is exploitable purely in the domain 
of law enforcement, the telcos and the secu- 
rity services. 


So we are back to the old issues of govern- 
ance, technology standards and good engi- 
neering practice if we are to meet the chal- 
lenge of the criminal fraternity who consider 
the loT as an additional source of income. 
Hopefully, the consumer will wake up to the 
risks and only purchase reputable kits and 
take all the necessary steps so that they don't 
become a victim. Sadly though, most people 
don't always grasp the issues. While it might 
be a convenience to be able to view CCTV pic- 
tures of your house on your mobile phone, the 
same information could ironically be turned 
against you. The question the consumer 
needs to ask is how much thought has gone 
into the design of this product?And will it be a 
blessing or a curse? For at the end of the day, 
if you do suffer loss due to an loT device, un- 
less a critical mass of unhappy customers 
reaches the ear of the media, it is unlikely that 
you will get any redress from the manufac- 
turer or retailer. This is especially true of 
cheap devices where not only the original de- 
sign may be suspect, but any chance of long- 
term support negligible. As always in such a 
fast moving and volatile market, the words Ca- 
veat Emptor - Let the buyer beware — has 
never been so applicable. 
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